Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis1980
Participant

VPN vs. Azure issue

Hi, guys.

We have a VPN site to site mounted against Azure, the problem we are not finding is that this VPN drops every 8 hours, after opening case with microsoft, I recommended lowering the time of phase 1 a few minutes so that it was the checkpoint side that performed the rekey, but the problem has not been solved, you keep losing the VPN every 8 hours. It could occur to you what may be going on?, it could make some change to the VPN on the checkpoint side.

The FW model is 1800 smb with embedded gaia 80.20.35, there may be some limitations here. In the checkpoint tacker I don't see anything in the logs.

The tunnel is configured in one VPN tunnel per Gateway pair

Phase 1 480 minutes. Phase 2 27000 seconds.

And this is what Microsoft tells me to look at on the checkpoint side, but I don't know what it means.

"No Additional SAs"

"Reached maximum quick mode limit for the main mode. New main mode will be started."

Azure Comments

Every time the MM expires and Azure initiates an rekey the peer devices send a response that no additional SA’s are available ( maximum limit reached) and as a results the old tunnel is closed and a new tunnel is build.
This tunnel is not using Traffic selectors so only 1 IKE SA is negotiated for 0.0.0.0.0/0 :

Please check remote vpn device configuration ; Why it replies that the maximum QM SA’s is reached . Check with their support also if needed.

I think I will open a case with support, but any help is welcome, if it occurs to you that it may be happening.

Thankss¡¡.

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

Are you using build 992002614 or other?

Is the appliance centrally or locally managed?

How are the following device advanced settings or similar configured?

"Delete IPSec SA on IKE SA delete"

"Keep IKE SA keys"

 

 

Failing the above I would recommend upgrading to one of the many newer releases available for the 1800 or consulting with TAC.

 

CCSM R77/R80/ELITE
0 Kudos
Luis1980
Participant

The FW has this version Version: R80.20.35 (992009978), the device is managed centrally, I do not understand the question of how to configure the settings. The times of phase 1 and phase 2 are the same on both sides.

 

Regards.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

If it's centrally managed via a separate management server the relevant SK articles to explore for the above are these:

sk108600 - Scenario 4

sk142355

 

Note I would also recommend upgrading to a  newer firmware release when able.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

You can do quick vpn debug and then check below files:

vpn debug truncon

vpn debug ikeon

look for ike.elg and vpnd* files in $FWDIR/log directory

Those should give you more insight why this fails.

Based on the messages you pointed out, its hard to say for sure where this fails, though new main mode will be started means phase 1, but then does not really tell us if it even tries to negotiate phase 2 or not.

Andy

0 Kudos
Luis1980
Participant

I know it's been a long time since I wrote this post, but I'm still on this topic and checkpoint referred me to this article sk172648.

One question, do you know what is the maximum time that can be put in the renegotiation of the tunnel?

0 Kudos
the_rock
Legend
Legend

I dont, but if you put something thats out of specs, it will complain.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events