Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andy1977
Explorer

Site to Site VPN tunnel is narrowed

I have a CP gateway that built two VPN tunnels to two branch offices as below:

Main Office: FW01 (CP 6000), VPN domain is 172.17.0.0/24

Office A: FW02 (SMB 1595), VPN domain is 192.168.1.0/24

Office B: FW03 (3rd party GW), VPN domain is 192.168.1.3/24

Two star VPN communities were created:

VPN_Community_A: contain FW01 and FW02

VPN_Community_B: contain FW01 and FW03

Each gateway is managed separately.

After setup, tunnels are up and VPN work. However, we found sometimes VPN between FW01 and FW02 is unstable, it may drop few packets in each day. No such issue found in VPN between FW01 and FW03. We had checked all the settings, all look fine.

The vpn tu tlist show there are ***Eclipsed*** and ***Narrow*** for VPN tunnels between FW01 and FW02. According to sk166417, this usually caused by mismatch in the configuration of the VPN with the peer, particularly the "VPN Domain" section of both sides. We checked the VPN domain section several times, and ensure there are no overlapping or mismatch.

Since FW01's VPN domain is used in two VPN communities, is that cause the issue? I can't use same VPN domain in two different communities? Any hints will be appreciated.

0 Kudos
10 Replies
the_rock
Legend
Legend

Thats not an issue mate, people use same vpn domain in 20 VPN communities, seen it before, no worries there. Just curious, are both tunnels set as permenent in the VP{M communities?

Best,

Andy

0 Kudos
Andy1977
Explorer

The VPN for FW01 and FW02 is permanent. VPN for FW01 and FW03 not permanent.

0 Kudos
the_rock
Legend
Legend

I think you mistyped, you said fw1 and fw2 twice, I guess you meant fw03 in one of those, but not sure which one.

Andy

0 Kudos
Andy1977
Explorer

Oh, yes. My typo, FW01 and FW02 is permanent VPN. FW01 and FW03 not permanent.

0 Kudos
the_rock
Legend
Legend

Here is my suggestion...

1) Set tunnel with the issue same as one that works fine, install policy, observe

IF no luck, then

2) Turn off vpn accel, observe

If still no luck, maybe run simple vpn debug (can be left for a long time) and have a quick look, if nothing obvious, maybe open TAC case

debug:

vpn debug trunc (rotates vpn debug files)

vpn debug ikeon

-generate some traffic

Leave debug for even 48 hours

get vpnd.elg* and ike* files from $FWDIR/log dir

to turn off debug:

fw ctl debug -x

fw ctl debug 0

All commands are in expert mode

Best,

Andy

0 Kudos
Andy1977
Explorer

I run vpn debug and use IKEView to look at the debug files. The 6 packets in Main Mode and 3 packets in Quick Mode are all fine. Tunnels are all up and running, but just occasionally lost some packets and then resumed shortly. I will see if turn off VPN accel help or not. Thanks.

0 Kudos
the_rock
Legend
Legend

sounds good!

0 Kudos
the_rock
Legend
Legend

On a side note, you can try turn off securexl to see if it fixes the issue OR just do vpn accel, as per below.

Andy

https://support.checkpoint.com/results/sk/sk151114

0 Kudos
Andy1977
Explorer

Yes, I also saw this post. May be I turn off VPN accel between FW01 and FW02. But I wonder what's the impact to turn off VPN accel? Thanks.

0 Kudos
the_rock
Legend
Legend

Personally, I had done it probably 50 times at least, no issues. To be 100% sure, I would do it after hours. Does not affect much else aprt from the tunnel and from all I had seen, the most I would say it would ffect the speed is maybe 5%, thats it.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events