Re: Site to Site VPN tunnel is narrowed

Andy1977 · ‎2024-02-08

I have a CP gateway that built two VPN tunnels to two branch offices as below:

Main Office: FW01 (CP 6000), VPN domain is 172.17.0.0/24

Office A: FW02 (SMB 1595), VPN domain is 192.168.1.0/24

Office B: FW03 (3rd party GW), VPN domain is 192.168.1.3/24

Two star VPN communities were created:

VPN_Community_A: contain FW01 and FW02

VPN_Community_B: contain FW01 and FW03

Each gateway is managed separately.

After setup, tunnels are up and VPN work. However, we found sometimes VPN between FW01 and FW02 is unstable, it may drop few packets in each day. No such issue found in VPN between FW01 and FW03. We had checked all the settings, all look fine.

The vpn tu tlist show there are ***Eclipsed*** and ***Narrow*** for VPN tunnels between FW01 and FW02. According to sk166417, this usually caused by mismatch in the configuration of the VPN with the peer, particularly the "VPN Domain" section of both sides. We checked the VPN domain section several times, and ensure there are no overlapping or mismatch.

Since FW01's VPN domain is used in two VPN communities, is that cause the issue? I can't use same VPN domain in two different communities? Any hints will be appreciated.

the_rock · ‎2024-02-08

Thats not an issue mate, people use same vpn domain in 20 VPN communities, seen it before, no worries there. Just curious, are both tunnels set as permenent in the VP{M communities?

Best,

Andy

Andy1977 · ‎2024-02-08

The VPN for FW01 and FW02 is permanent. VPN for FW01 and FW03 not permanent.

the_rock · ‎2024-02-08

I think you mistyped, you said fw1 and fw2 twice, I guess you meant fw03 in one of those, but not sure which one.

Andy

Andy1977 · ‎2024-02-08

Oh, yes. My typo, FW01 and FW02 is permanent VPN. FW01 and FW03 not permanent.

the_rock · ‎2024-02-08

Here is my suggestion...

1) Set tunnel with the issue same as one that works fine, install policy, observe

IF no luck, then

2) Turn off vpn accel, observe

If still no luck, maybe run simple vpn debug (can be left for a long time) and have a quick look, if nothing obvious, maybe open TAC case

debug:

vpn debug trunc (rotates vpn debug files)

vpn debug ikeon

-generate some traffic

Leave debug for even 48 hours

get vpnd.elg* and ike* files from $FWDIR/log dir

to turn off debug:

fw ctl debug -x

fw ctl debug 0

All commands are in expert mode

Best,

Andy

Andy1977 · ‎2024-02-08

I run vpn debug and use IKEView to look at the debug files. The 6 packets in Main Mode and 3 packets in Quick Mode are all fine. Tunnels are all up and running, but just occasionally lost some packets and then resumed shortly. I will see if turn off VPN accel help or not. Thanks.

the_rock · ‎2024-02-08

sounds good!

the_rock · ‎2024-02-08

On a side note, you can try turn off securexl to see if it fixes the issue OR just do vpn accel, as per below.

Andy

https://support.checkpoint.com/results/sk/sk151114

Andy1977 · ‎2024-02-08

Yes, I also saw this post. May be I turn off VPN accel between FW01 and FW02. But I wonder what's the impact to turn off VPN accel? Thanks.

the_rock · ‎2024-02-08

Personally, I had done it probably 50 times at least, no issues. To be 100% sure, I would do it after hours. Does not affect much else aprt from the tunnel and from all I had seen, the most I would say it would ffect the speed is maybe 5%, thats it.

Andy

Are you a member of CheckMates?

Site to Site VPN tunnel is narrowed