This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath_Mote
Collaborator
‎2019-03-18 07:45 AM

VPN Tunnel Phase 1 Re-key Causing Application Disconnects

We have what I would call a sensitive application that is somehow losing it's connection when Phase 1 re-keys on the VPN tunnel the traffic is being tunneled through. I think it's likely a combination of gateway/tunnel settings that could be modified but also just a sensitive application. The application disconnects were a mystery at first until we closely correlated these to the phase 1 re-keys on the VPN tunnel through which the traffic is passing.

Any information on what we might be able to monitor or modify in these VPN tunnels or gateway settings would be much appreciated. The tunnel setup is on R80.10 management and HA gateway using ClusterXL. We have Clustered gateways on each end of the VPN tunnel and have VPN tunnels to multiple sites. We have staggered the re-keys to no avail...thinking it was somehow tied to the multiple satellite gateways and the central gateway was not able to handle the multiple re-keys. This staggering re-key change did not improve the application disconnects.

 

0 Kudos
2 Replies
Jerry
Mentor
Mentor
‎2019-03-18 09:54 AM

extending of the phase-1 re-key TTL would definitely help so you can make an attempt of making sure that re-keying is happening "over night" or simply out-of-business hours. This way you can prevent of re-keying happening during the peak time of application usefulness. Hope it helps, but if not I believe that "tweaking" IPSec CryptoSuite would definitely be required at this point.
Jerry
0 Kudos
Heath_Mote
Collaborator
‎2019-03-18 01:02 PM
In response to Jerry

Yes, we have tried this but the admins are saying there shouldn't be any downtime. I tend to agree because of the redundancy and we have never seen this before where a re-key caused a disconnect or interruption in application connectivity.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top