Re: VPN to CheckPoint unstable, showing multiple I...

guiausechi · ‎2021-09-24

Hello,

someone had this problem.

I have one VPN between Check Point R80.40 and Aruba..

The symptoms are .. duplicate IKE phase 1 in the Checkpoint and some times VPN goes down.

PhoneBoy · ‎2021-09-24

Duplicate IKE Phase 1 isn't exactly a problem depending on the precise configuration.
In any case, you'd probably need to debug the issue further: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Matt_Killeen · ‎2023-06-16

Error 404 on link

G_W_Albrecht · ‎2023-06-16

That sk is not available anymore - try the following and the included links:

https://support.checkpoint.com/results/sk/sk40114

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-06-16

The SK that replaces the one I linked to previously is: https://support.checkpoint.com/results/sk/sk180488

the_rock · ‎2021-09-25

Never really set up tunnel between CP and Aruba personally, but can ask one of my colleagues who is really good with Aruba to see if there are any known settings/issues to be aware off. Did the tunnel ever work right or you had problem since the beginning? As @PhoneBoy said, debugging this is a really good idea on CP side.

This is what I usually do, super easy process...on CP fw, rune below commands from expert mode:

vpn debug trunc

vpn degug ikeon

generate some traffic

vpn debug ikeoff

Get vpnd.elg file, as well as ike,elg from %FWDIR/log

Use ikeview utility (free to download off google) to examine ike.elg file and look for the entry for Aruba public IP in there and see whats happening. Also, vpnd.elg can give some insights as well.

prakash7 · ‎2023-03-10

We are facing IPsec vpn tunnel unstable issue its down and up automatically every half a hour (don't make any changes on firewall)happening checkpoint to Prisma cloud tunnel

till now we don't find anything what is the issue

PhoneBoy · ‎2023-03-10

You'll need to debug it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
See also scenario 4 and 6 in: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Tunnel going up/down like that is likely a mismatch between the various timer settings.

CheckPointerXL · ‎2023-07-20

did you fix the issue?

Matlu · ‎2023-06-16

Hello, my friend.

The file that should be obtained after the debugging you suggest, for the IKEv2, what would it be?

I understand that it is not the same as the one in this post, right?

Regards

the_rock · ‎2023-06-16

Ola bro,

Just do below from expert:

cd $FWDIR/log & ls -lh *ike

It will show you all ike files, including ikev2

Andy

Matlu · ‎2023-06-16

Hi, Andy.

Is this "file" the one to be read, in the IKEView?

File -> ikev2.xmll

Does this file "show" you both Phase1 and Phase2, or only Phase1?

Cheers.

the_rock · ‎2023-06-16

I believe phase2 only, but could be mistaken.

Andy

Bob_Zimmerman · ‎2023-06-16

IKEv2 doesn't have quite the same phase 1 > phase 2 structure IKEv1 has. ikev2.xmll has all of the IKEv2 negotiation information.

Matlu · ‎2023-06-16

Hello,

The file -> ikev2.xmll has the same content as the file "legacy_ikev2.xmll", at least for Troubleshooting????

I can use any of the 2 without any problem?

Greetings.

just13pro · ‎2023-06-17

I believe they are different, legacy_ike2.xmll is phase 1 for IKEv2.

You can use IKEView to open the file search the SK for the IKEView software.

the_rock · ‎2023-06-17

Thats sounds right.

genisis__ · ‎2023-06-18

Not sure this relates, but could this be related to IKEv2 narrowing?

If you do a 'vpn tu tlist' it should show the tunnels; your looking for the wording 'narrow' or 'eclipsed'.

See: https://support.checkpoint.com/results/sk/sk166417

CheckPointerXL · ‎2023-07-19

Hi all,

i'm experience the same problem on R81.10 T79 with third-party peers:

not all traffic inside vpn is affected

Moreover, i have this drops:

Moreover, i tried to clean tunnel information by vpn tu but the command is so bad, information continues to be shown in vpn tu tlist, and i suspect that still they are there traffic is affected
i tried to clean some tables, meta_sas, local_meta_sas, ikesa_out_spi, but no way on how to delete a single entry

the_rock · ‎2023-07-19

Is it all 3rd party peers or just random ones? Can you give an example...any logs, screenshot?

Cheers,

Andy

CheckPointerXL · ‎2023-07-19

just updated the post, sorry lost some information after the publish

the_rock · ‎2023-07-19

What version are you on?

CheckPointerXL · ‎2023-07-19

Like i said i'm on R81.10 T79

the_rock · ‎2023-07-19

Sorry mate, missed that, my bad. I have R81.20 lab with few tunnels, so let me do some digging and see if the issue is there. Is this something new that happened or how long has it been a problem?

Andy

CheckPointerXL · ‎2023-07-19

new installation, the customer started to move VPNs from another device

the_rock · ‎2023-07-19

Maybe if you can give exact commands you ran, I will verify in the lab...so far, dont see any issues like that.

Andy

CheckPointerXL · ‎2023-07-19

fw tab -t ikesa_out_spi -x -e (allvaluedisplayed in fw tab -t ikesa_out_spi )

the_rock · ‎2023-07-19

I dont see any errors when running those.

WhoNeedsFWs · ‎2024-03-05

Did you ever resolve the instability challenges between Prisma Cloud and your Checkpoint gateway?

Are you a member of CheckMates?

VPN to CheckPoint unstable, showing multiple IKE and IPSEC SA's for one policy