This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hsanity
Contributor
‎2023-02-27 04:41 AM
Jump to solution

Unstable VPN tunnel between two checkpoint firewalls; ike log indicates INVALID-COOKIE

Hi,
We have been experiencing an unstable VPN connection at one of our sites. VPN tunnels randomly go down. Looking at the log in the web portal shows "Peer closed connection" and "The peer is no longer responding" between the gateways. We can also see logs like "Informational Exchange Received Delete IPSEC-SA from Peer" coming from the remote gateway. Following is an example of one of the events:

Eventlog_VPN_tunnel_drop_and_restablishment.png

Looking at ike.elg log file indicates towards lots of INVALID-COOKIE before and after phase 1 and phase 2 ike negotiation.

INVALID-COOKIE.png

Troubleshooting steps taken:
1. Cross-checked VPN site settings on both ends
2. Delete and recreate VPN sites on both ends
3. Increased WAN bandwidth from ISP


SMB gateway: 1450 Appliance | Version: R77.20.75 (990172321)

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-02-27 03:45 PM
Jump to solution

Before spending too much time troubleshooting this, I recommend upgrading to the latest firmware.
The most recent can be obtained from here: https://support.checkpoint.com/results/sk/sk153433 

View solution in original post

18 Replies
PhoneBoy
Admin
Admin
‎2023-02-27 03:45 PM
Jump to solution

Before spending too much time troubleshooting this, I recommend upgrading to the latest firmware.
The most recent can be obtained from here: https://support.checkpoint.com/results/sk/sk153433 

the_rock
MVP Diamond
MVP Diamond
‎2023-02-27 03:53 PM
Jump to solution

Make sure "keep ike SAs" in global properties is enabled.

Best,
Andy
"Have a great day and if its not, change it"
Hsanity
Contributor
‎2023-02-28 03:04 AM
In response to the_rock
Jump to solution

We are running our gateways with local management. Is it possible to check and enable "keep ike SAs" without a management server?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-02-28 04:48 AM
In response to Hsanity
Jump to solution

Best next steps:

- upgrade to latest firmware

- if the issue persists contact TAC

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-02-28 04:52 AM
In response to Hsanity
Jump to solution

Not that I know of...I believe that option is only available as per below (from smart console):

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
Hsanity
Contributor
‎2023-02-28 06:52 AM
In response to the_rock
Jump to solution

Thank you. For local management, I found it under Device > Advanced Settings > VPN Site to Site global settings - Keep IKE SA Keys.

the_rock
MVP Diamond
MVP Diamond
‎2023-02-28 06:53 AM
In response to Hsanity
Jump to solution

Good stuff, learned something new today. So any way to tell if it helps or it may take some time?

Best,
Andy
"Have a great day and if its not, change it"
Hsanity
Contributor
‎2023-02-28 06:58 AM
In response to the_rock
Jump to solution

We are trying with keeping the IKE SAs and observing the tunnel for the next several hours. Finger crossed.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-02-28 06:59 AM
In response to Hsanity
Jump to solution

Honestly, even if that works, I would still upgrade to latest version available. It never hurts to do that with these SMB appliances, it can only help. 

Best,
Andy
"Have a great day and if its not, change it"
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-02-28 06:57 AM
In response to Hsanity
Jump to solution

Are you planning to upgrade to R77.20.87 JHF ?

CCSM R77/R80/ELITE
Hsanity
Contributor
‎2023-02-28 07:00 AM
In response to Chris_Atkinson
Jump to solution

Unfortunately, my user account does not have enough privileges to download the hotfix that @PhoneBoy suggested. Logged a separate support on this. Awaiting response.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-28 09:55 AM
In response to Hsanity
Jump to solution

Yes, because your account must be associated with a support agreement.
This is required to download most things from UserCenter.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-02-28 10:01 AM
In response to Hsanity
Jump to solution

Hey @Hsanity ...any luck with changes made?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Hsanity
Contributor
‎2023-02-28 11:10 PM
In response to the_rock
Jump to solution

There were still tunnel drops after switching to keep ike SAs. But After upgrading to the latest JHF | fw1_sx_dep_R77_990173120_20.img, haven't had a single tunnel drop in the last 12 hours. This looks promising! But I must say, We have about fifteen other 1450 firewalls that have VPN tunnels to the same central site and this is the only gateway causing issues without the JHF. Thanks so much for the file @the_rock.

G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-01 12:02 AM
In response to Hsanity
Jump to solution

As i wrote above: Afaik and refering to sk142355, your issue has nothing to do with Keep IKE SAs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-01 01:59 AM
In response to Hsanity
Jump to solution

They all need upgrading in that case as R77.20.75 has been End-of-support for almost 3-years already.

Refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-01 02:46 AM
In response to Hsanity
Jump to solution

Glad it helped you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-02-28 04:42 AM
In response to the_rock
Jump to solution

Why ? See explanation in sk142355: Enabling this parameter changes the behavior so that the Security Gateway keeps all Phase 1 and Phase 2 keys after a policy installation to work around interoperability issues with 3rd party VPN peers.

I do not see any issue after policy installation mentioned here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events