Correct, in case there is a vpn issue we'll not be able to debug. The firewall hast been updated to R81.10, however the issue has not been resolved. We've opened a TAC Case.

Apologies it's not clear. Is the VPN blade activated on the gateway and a tunnel configured / established?

Correct, if not we would have got this output below (from another Gateway without VPN Blade enabled)

# vpn shell
This is not a VPN-1 enabled module

This is very interesting...I tried it yesterday in my lab with vpn blade on and I had same issue as you, but when I ran it on customer's environment with same R80.40 version, worked fine. Now, I tested in R81.10, but let me see if I can find R81 and try. Though, Im 99.99% sure this has absolutely nothing to do with the software version.

We have another customer running R80.40 and it's working fine. Would be interesting to have the result of your test.

Ok...got same thing in R81 as well. Let me do some testing later in my R81.10 lab, as I have latest HFA on it, so will see if I can figure it out, plus, VPN blade has been enabled on it for 2-3 months, at least.

I hate to say this, but I honestly got no clue why this happens. As @_Val_ suggested, open TAC case and have them investigate. I tried so many things in my lab to see if I can get it working (even disabled and re-enabled vpn blade as well), same thing. Tried running multiple options of that command, no luck, sorry brother : - (. Please let us know how it gets fixed, I would love to know.

Thank you for helping. The TAC case is ongoing. It seems like things have change on R81

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

Yes, but vpn debug steps should be same as before. As far as vpn shell command, that Im not positive, though when I tested In R80.xx flavors, options look the same.

As you observed @the_rock some things involving vpnd did change in R81.10.  The vpnd process is very old and has a long list of responsibilities that were stuffed into it over the years which started to cause stability problems. 

In R81.10 two responsibilities of vpnd were split off into two new daemons: iked and cccd.  The former daemon handles IKE negotiations and the latter daemon cccd seems to be related to endpoint compliance.  @GrassF it is possible that the vpn shell command you are trying to run has not been updated to reflect this change thus the timeouts, disabling the new iked process with vpn iked disable might fix your timeout issue but I'd advise against trying that, as it is not documented and may cause an outage.  Please post the output of these two commands:

vpn iked status

vpn cccd status

# vpn iked status
vpn: 'iked' is enabled.
vpn: The 'iked' process is currently running.

# vpn cccd status
vpn: 'cccd' is disabled.
vpn: The 'cccd' process is currently not running.

# fw ctl get int ike_in_separate_daemon
ike_in_separate_daemon = 1

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.