I have a pair of 1550s clustered through ClusterXL serving as a remote access gateway for a small group of users. The remote users are all using the CheckPoint Mobile client.
The 1550 SMB cluster is running R80.20.35. These are centrally managed devices, so upgrade to R81 is not possible, yet.
What we see is that after 4 to 8 days of use, all the mobile clients will start throwing an error when they try to set up the VPN tunnel. The error is:
Connection Failed, VPN-1 server could not find any certificate to use for IKE
The simple work-around we have discovered is to push policy to the 1550 cluster. No changes are required, merely push the policy. The mobile clients all start working immediately again after the policy push is complete.
One oddity about this setup is that the cluster is not using an IPSec certificate from the management server's internal CA. We have instead loaded a cert from the public CA (Sectigo) for this purpose, so that external clients can use the DNS name of the external cluster VIP rather than be required to use IP address for connections.
Has anyone seen anything like this before?