This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend
‎2024-04-26 05:31 AM

The VPN is going down because certificates are used for IKE Phase 1 authentication; when a rekey occurs the CRL must be retrieved from the SMS/MDS to ensure the certificate has not been revoked.  There is a cache for the CRL on the gateways that will help if the SMS/MDS is down for a short period, but if it is down long enough the cached CRL entries will expire and the VPN breaks at the next rekey.

You can extend the CRL cache timeout or even disable the CRL checking completely as described here:

https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-does-SMB-gateway-CRL-fetching-work/m-p/19...

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

(1)
Who rated this post