This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zsszlama
Explorer
‎2022-03-10 04:19 AM

S2S and C2S VPN disconnection after policy install

Jump to solution

Our customer has an MDS server managing 15 CMAs. Each CMA has its own SG and SG cluster. There is a mesh global VPN community between the managed SGs/SG clusters, so there is a S2S VPN between those Check Point Security Gateway peers.

Along with the MDS, there is a Multi-Domain Log Server (MLM) installed.

The MDS, MLM and the SGs have been running on version R80.40 and R80.40 JHF Take_139

Our customer experiences that some S2S and C2S VPN connections break after policy installation but in a few minutes the VPN connections are reestablished by itself (all peer gateways are Check Point products). However there was a case where only a cluster node change helped to solve the issue which was forced by the customer, in that case the peer was in the azure environment and it was not affecting the rest of the S2S VPNs. Unfortunately this behavior is completely random, it doesn’t happens after every policy installation and we are not able to directly reproduce it.

As it's hard to reproduce this issue we don't see point of to create a maintenance window to debug.

Do you have any idea/suggestion which we could try out to find the root cause of this behavior?

Thanks in advance!

Zsolt

0 Kudos
1 Solution

Accepted Solutions
the_rock
Champion
Champion
‎2022-03-10 04:48 AM

Jump to solution

What @Chris_Atkinson Chris gave you is always what TAC would recommend, but also, I had seen in the old days, enable the setting on the gateways properties under connection persistence to keep all connections, that used to fix this sort of an issue as well.

Below is what Im referring to:

Screenshot_1.png

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
Employee
Employee
‎2022-03-10 04:30 AM

Jump to solution

sk142355 (keep_ike_sa) and reviewing connection persistence settings (topology dependent) are often the starting point. Is this something that you've been working on with TAC?

0 Kudos
the_rock
Champion
Champion
‎2022-03-10 04:48 AM

Jump to solution

What @Chris_Atkinson Chris gave you is always what TAC would recommend, but also, I had seen in the old days, enable the setting on the gateways properties under connection persistence to keep all connections, that used to fix this sort of an issue as well.

Below is what Im referring to:

Screenshot_1.png

0 Kudos
zsszlama
Explorer
‎2022-03-10 11:42 PM
In response to the_rock

Jump to solution

In our case it was the opposite. 🙂 TAC suggested the connection persistence change and we haven't hear of sk142355.

The connection persistence change seems logic but unfortunately I don't see what is the downside of the setting yet. What are the consequences if we do that?  

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-10 11:22 AM

Jump to solution

There are some enhancements in R81.20 that should help this.
That doesn’t help you now, of course.
That said even R81.10 (widely recommended release) should help with separate S2S and C2S VPN daemons.

0 Kudos
zsszlama
Explorer
‎2022-03-10 11:44 PM
In response to PhoneBoy

Jump to solution

Thanks! The R81.10 upgrade is scheduled to Q2 so we have a lot of time until that. 😉

0 Kudos