Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GrassF
Participant

VPN daemon timed out

Hi,

one of our customer is having issue with vpn command. We are getting a Timed out

vpn_timed_out.png

The Firewall is running on R81 Take: 44

Have you experienced such issue?

Thank you

0 Kudos
13 Replies
_Val_
Admin
Admin

Take it with TAC

the_rock
Champion
Champion

Just curious, are you having actual S2S vpn issues, or ONLY output of this command is the concern? I guess if vpnd is a problem, then TAC may suggest some debugs for it, for sure.

0 Kudos
GrassF
Participant

Correct, in case there is a vpn issue we'll not be able to debug. The firewall hast been updated to R81.10, however the issue has not been resolved. We've opened a TAC Case.

0 Kudos
Chris_Atkinson
Employee
Employee

Apologies it's not clear. Is the VPN blade activated on the gateway and a tunnel configured / established?

0 Kudos
GrassF
Participant

Correct, if not we would have got this output below (from another Gateway without VPN Blade enabled)

# vpn shell
This is not a VPN-1 enabled module

0 Kudos
the_rock
Champion
Champion

This is very interesting...I tried it yesterday in my lab with vpn blade on and I had same issue as you, but when I ran it on customer's environment with same R80.40 version, worked fine. Now, I tested in R81.10, but let me see if I can find R81 and try. Though, Im 99.99% sure this has absolutely nothing to do with the software version.

0 Kudos
GrassF
Participant

We have another customer running R80.40 and it's working fine. Would be interesting to have the result of your test.

the_rock
Champion
Champion

Ok...got same thing in R81 as well. Let me do some testing later in my R81.10 lab, as I have latest HFA on it, so will see if I can figure it out, plus, VPN blade has been enabled on it for 2-3 months, at least.

 

0 Kudos
the_rock
Champion
Champion

I hate to say this, but I honestly got no clue why this happens. As @_Val_ suggested, open TAC case and have them investigate. I tried so many things in my lab to see if I can get it working (even disabled and re-enabled vpn blade as well), same thing. Tried running multiple options of that command, no luck, sorry brother : - (. Please let us know how it gets fixed, I would love to know.

0 Kudos
GrassF
Participant

Thank you for helping. The TAC case is ongoing. It seems like things have change on R81

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

0 Kudos
the_rock
Champion
Champion

Yes, but vpn debug steps should be same as before. As far as vpn shell command, that Im not positive, though when I tested In R80.xx flavors, options look the same.

0 Kudos
Timothy_Hall
Champion
Champion

As you observed @the_rock some things involving vpnd did change in R81.10.  The vpnd process is very old and has a long list of responsibilities that were stuffed into it over the years which started to cause stability problems. 

In R81.10 two responsibilities of vpnd were split off into two new daemons: iked and cccd.  The former daemon handles IKE negotiations and the latter daemon cccd seems to be related to endpoint compliance.  @GrassF it is possible that the vpn shell command you are trying to run has not been updated to reflect this change thus the timeouts, disabling the new iked process with vpn iked disable might fix your timeout issue but I'd advise against trying that, as it is not documented and may cause an outage.  Please post the output of these two commands:

vpn iked status

vpn cccd status

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
GrassF
Participant

# vpn iked status
vpn: 'iked' is enabled.
vpn: The 'iked' process is currently running.

# vpn cccd status
vpn: 'cccd' is disabled.
vpn: The 'cccd' process is currently not running.

# fw ctl get int ike_in_separate_daemon
ike_in_separate_daemon = 1

0 Kudos