Not sure that option works with 3rd party vendors though...I only seen it work cp - cp tunnels.

Dear Phoneboy/Admin 

Thanks for your response i am already using tunnel_keepalive_method  dpd and check all other parameter but didn't find solution till now.

get error log packet is dropped because an ipsec sa associated with the spi on the received ipsec could not be found

Action: drop Description: ESP traffic dropped.

I will follow the sk19423 but that is not helpfull for me.

Can i disable NAT T ?? and if i disable NAT T then what is the impact of that in production??

Hi  @ramawatar and @PhoneBoy 

I am also facing similar issue.

My observation is, in continuous ongoing security parameter negotiations, whenever AWS end negotiates tunnel with NAT-T (4500), tunnel shows UP but no data traverse through tunnel.

(As per few secure knowledge checkpoint only responds for NAT-T negotiation but never initiate negotiation with NAT-T)

fw ctl zdebug + drop | grep <AWS_gateway> gives decryption failed. (A = My End. B= AWS End.)

I am using BGP protocol to control routing.

BGP TCP handshake not getting complete when IKE negotiation shown IKE NAT-T (4500).

But fw monitor shows my end try to send bgp messages through tunnel and even initial packet comes through aws end but TCP complete connection not happening. 

[vs_0][fw_22] eth3-01:i[60]: 169.254.A.A -> 169.254.B.B (TCP) len=60 id=10285
TCP: 45645 -> 179 .S.... seq=2ab5fb15 ack=00000000

[vs_0][fw_22] vpnt6:O[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] vpnt6:e[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] eth3-01:E[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16

When I am doing manual tunnel reset, checkpoint initiating tunnel, where it negotiating on 500 UDP and data starts traversing through tunnel.

Tunnels remain UP, till negotiation not happening through IKE 4500.

 Currently I am experimenting to tune below gateway specific parameters to ensure negotiation of IKE 4500 should not happen. (There is no NAT device between my end and AWS)

IKE_SUPPORT_NAT_T

offer_nat_t_initator

offer_nat_t_responder_for_known_gw

force_nat_t

Advanced NAT-T Configuration

Checkpoint team ( @PhoneBoy  ) through my above observations please highlight and resolve any interoperability through NAT-T between checkpoint and other vendor device.

You're seeing "decryption failed" messages in zdebug, which would suggest a configuration mismatch of some sort.
You'll need to debug it to see where the mismatch is, using something like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Also recommend engaging with the TAC.

Hi @Uttam_Ghole 

I am experiencing the same issue. Did you manage to resolve it after modifying gateway specific parameters?

Regards,

@Marek_Pietrulew We are facing Issue with AWS tunnel only, now working fine we disable NAT T from for all security gateway & set tunnel_keepalive_method DPD 

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
For the Value, select a permanent tunnel mode.
Save all the changes.
Install policy on the gateways.

For best practice Use Respective Gaia Version  VPN Administration Guide.

i have this same issue with static routes. could you please tell, did you manage to resolve this issue. kindly let us know.

Hi,

Is DPD still needed for permanent tunnel checks in R81.20.   Also, is guiDB still needed to enable it?

DPD is still used for permanent tunnels.
In fact, from R81, DPD is set as the default for newly created Interoperable Objects.
If I understand Scenario 5 of sk108600 correctly, unless you've changed the setting from the previous default, it should be changed upon upgrade to an R81+ release automatically.

@Sajid_Abbas yes it's resolve in R80.20, we also already upgraded our infra from R80.10 to R80.20 

Was it related to sk142355 VPN tunnel goes down after policy push, must be reset to bring it up?

Hi Sajid_Abbas,

We are in need of a script to reset the tunnels every time they go down (we check by ping). Can you share it with us? Thank you!

Hi Sajid_Abbas,

We also need automatic ping check and tunnel reset, can you share with us the script you have? Thank you so much!