This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
MVP Silver
MVP Silver
a week ago
Jump to solution

VPN management in CLI and Smartview in latest versions

I've worked with a cluster running R81.20 Take 119 which has a single IPSEC to an interoperable device which has been working for years.

 

Today, I wanted to manually reset the tunnel for some checks as we changed some topology and so on.

I used the well known vpn tu and the Smartview with the "Reset Tunnel" button.

 

Nothing happened. In the logs, I didn't see the Key Install events except those agreed by the community timers.

In CLI, the tunnel times remained those as well then checking the list of established tunnels.

I tried multiple times, using either vpn tu with option 7 or vpn tu del x.x.x.x and so on, same thing, the VPN doesn't reset and there are no logs, traffic doesn't lose a single packet.

Now it's not a huge issue as it works and I can wait the next interval for checks, but I wonder if it would be a known issue.

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
Tuesday
In response to Alex-
Jump to solution

According to R&D, it should work and has been tested by QA to function properly in R82.10 (not yet released).

This may indicate a degradation introduced by a JHF or something specific to your environment.

Therefore, I recommend opening a ticket with TAC.

View solution in original post

0 Kudos
8 Replies
Duane_Toler
MVP Silver
MVP Silver
Friday
Jump to solution

I haven't found "vpn tu del <ip>" to really do the job, either.  However, "vpn tu del all" WILL delete everything.. but it's EVERYTHING.  If you can afford that result, then go for it.  For those of us with dozens of VPN sessions, that's a bit aggressive (although I have done it at acceptable times).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Alex-
MVP Silver
MVP Silver
Friday
In response to Duane_Toler
Jump to solution

It's the first time I observed  this command doing just nothing at all. This is quite inconvenient when trying to make controlled resets of VPN with third parties.

the_rock
MVP Platinum
MVP Platinum
Saturday
In response to Duane_Toler
Jump to solution

I tried first command once and it did work. vpn tu del all definitely works. I find below ones usually work fine:

 
 
Screenshot_1.png

Best,
Andy
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
Saturday
Jump to solution

I've sent your post to relevant owner in R&D.

Will update when I have heard back.

Thanks

Lesley
MVP Gold
MVP Gold
Saturday
Jump to solution

Before you run vpn tu option 7 do you see any ike/ sa id for the vpn tunnel at all? If there are none there is nothing to reset and could indicate a different issue. Sounds obvious but I felt for this once 😉

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Alex-
MVP Silver
MVP Silver
Saturday
In response to Lesley
Jump to solution

vpn tu list shows all associations, as well as dedicated options in vpn tu, I checked independently phase 1 and 2 and everything's there. I mean, the tunnel works.

Option 7 and vpn tu del didn't do anything and the tunnel rekeyed at the agreed timers.

Maybe one of these features which stopped working after a given version is installed, like cppcap for instance.

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
Tuesday
In response to Alex-
Jump to solution

According to R&D, it should work and has been tested by QA to function properly in R82.10 (not yet released).

This may indicate a degradation introduced by a JHF or something specific to your environment.

Therefore, I recommend opening a ticket with TAC.

0 Kudos
Alex-
MVP Silver
MVP Silver
Tuesday
In response to Tal_Paz-Fridman
Jump to solution

Thanks for taking the time to investigate this.

I upgraded another environment to R81.20 T119 and didn't experience this issue, so very likely something local to that implementation.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events