Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RichUK
Contributor
Jump to solution

Site-to-site Disconnects & Questions

Hi all,

We are running an active\standby cluster with R81.10 take 87 and have setup a site-to-site with a 3rd party. The connection establishes but loses connection randomly - I have a continuous ping going and it can be down for up to 90secs. As a comparison, I run the same test on the 5 other site-to-sites and they do not drop a ping.

We are using IKEv2, tried it without PFS. The ED is 192.168.199.48 - 192.168.199.63 local, 21x.xxx.xxx.57/32 remote (both network objects). Also we NAT our traffic behind 192.168.199.49 to their endpoint.

The community is configured with the local gateway using a VPN domain group with our local internal subnet and the 192.168.199.48/28 subnet. The remote gateway is configured using a group (we will eventually add another ip addess in) with the network object of 21x.xxx.xxx.57/32.

One thing I have observed is that their end will send loads of IPSec SA's rekeys, sometimes over 20 in 5 mins. I've seen their config and P2 is definitely set to 3600secs, the same as our side. We never have an issue with the IKE SA.

rekey_list.jpg

rekey_detail.jpg

 

The couple of questions I have is;

Their remote gateway is 21x.xxx.xxx.56. When I look in the VPN routing table, it suppersubnets the peer and endpoint together. Could this be an issue?

I have asked them to test using a 10.x.x.x address as the remote endpoint as a test (still get drops). The SA's rekey every 46 mins initiated from their end. Is using a remote endpoint 'real-world' IP an issue for the site-to-site?

When we tested with the 10.x.x.x IP, we notice the FW uses the IPSec SA agreed in the Auth stage of the tunnel, when we use the external IP as the remote endpoint, the FW creates 4 - 5 addition Child SA's, all exactly the same before traffic will pass over the tunnel.

TIA

Rich

 

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

@RichUK , sorry about delay, here it is mate. First setting is in global properties and 2nd one is in gateway object. I know 2nd one may seem counter intuitive, as its related to policy install, but I had few cases where it actually helped with same issue you have.

Also, below 2 screenshots are settings you should change to FALSE in guidbedit. Reason is, this has been problem with CP for, I dont know, at least 20+ years where it would always try present largest possible subnet. So, say, Cisco expects /29 and CP is trying to send /24, well, that aint gonna work lol

Anyway, if you are not familiar with guidbedit, which Im sure you might be, location is in C:\Program Files (x86)\CheckPoint\SmartConsole\R81.20\PROGRAM (except yours is R81.10)...same creds as smart console

If youneed more help, let me know.

Andy

 

Screenshot_1.png

 

Screenshot_2.png

 

Guidbedit values to change to FALSE:

 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

 

View solution in original post

(1)
4 Replies
the_rock
Legend
Legend

I will send you some things to verify later when I get access to my R81.20 lab. Version here does not matter, its exactly same behavior in R81.10 : )

Give me about an hour and will update the thread.

the_rock
Legend
Legend

@RichUK , sorry about delay, here it is mate. First setting is in global properties and 2nd one is in gateway object. I know 2nd one may seem counter intuitive, as its related to policy install, but I had few cases where it actually helped with same issue you have.

Also, below 2 screenshots are settings you should change to FALSE in guidbedit. Reason is, this has been problem with CP for, I dont know, at least 20+ years where it would always try present largest possible subnet. So, say, Cisco expects /29 and CP is trying to send /24, well, that aint gonna work lol

Anyway, if you are not familiar with guidbedit, which Im sure you might be, location is in C:\Program Files (x86)\CheckPoint\SmartConsole\R81.20\PROGRAM (except yours is R81.10)...same creds as smart console

If youneed more help, let me know.

Andy

 

Screenshot_1.png

 

Screenshot_2.png

 

Guidbedit values to change to FALSE:

 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

 

(1)
RichUK
Contributor

thank you @the_rock I did the changes last night and all seems well. We are now using the IPSec SA agreed in the Auth SA, no additional Child SA when the tunnel initiates. 👍

(1)
the_rock
Legend
Legend

Glad it worked. I had been known to fix few issues here and there, NOTHING like CP master @PhoneBoy , but happy advice was useful

Cheers mate 

UkFlagGIF.gif

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events