Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fatihah
Participant
Jump to solution

VN Tunnel is down after installing policy

Hi All,

 

I am facing issue with VPN tunnel between Check Point gateway and 3rd-party gateway, Sonicwall.

The situation is, the vpn connection is working as usual after the tunnel is up.

However, after we push the policy, the tunnel is coming down again.

What I'VE done next:

1. Confirmed no changes related to VPN settings on both Check Point gateway and Peer Gateway.

2. Confirmed the configuration on both side is tally with each other.

3. Reset tunnel on vpn tu, option (7).

4. Check vpn status again, still down. Refer to the packet capture on peer: 175.139.242.98 below:

 

image.png

 

Supposedly, the vpn tunnel should come up after reset tunnel However, the tunnel is still down.

And, now I'm now checking on the sk142355however the changes on Global Properties might need to be considered properly as it might affected other vpn tunnels.

 

Current, our setup is on Standalone mode with R80.10 version with Take 279 hotfix.

 

Hopefully, we have the solutions or workaround on this issue.

0 Kudos
1 Solution

Accepted Solutions
Fatihah
Participant

Hi Timothy,

 

Thanks for your suggestion.

However, after checking all these, I suspected the issue is related to the instability of upstream device (Load Balancer). Hence, I bypass the Load balancer to the peer Gateway, and as a resulted the tunnel was established and communication was successful between both sites.

 

Regards,

Fatihah

View solution in original post

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend

When policy is pushed the IKE Phase 1 SAs are cleared depending on the values of ike_keep_child_sa_interop_devices and keep_IKE_SAs which are both global; I don't think you can specify these values per VPN peer or community.  3rd party gateways in particular don't like having an SA cleared early since the mechanism to recover (delete SA notification) does not usually work properly between vendors.  See Scenario 4 of sk108600: VPN Site-to-Site with 3rd party.   

The only real ramification of setting one or both of these to true is that if you make a change to IKE Phase 1 configuration settings (encryption, hashing, etc), that change will not happen immediately upon policy push.  These types of changes don't occur very often once the tunnel is initially set up and tested, but if you do need to change these Phase 1 settings with "true" set you'll just need need to manually reset the IKE Phase 1 tunnel with vpn tu after pushing policy to make it take effect.  That's it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Fatihah
Participant

Hi Timothy,

 

Thanks for your suggestion.

However, after checking all these, I suspected the issue is related to the instability of upstream device (Load Balancer). Hence, I bypass the Load balancer to the peer Gateway, and as a resulted the tunnel was established and communication was successful between both sites.

 

Regards,

Fatihah

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events