This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike-H
Explorer
2 weeks ago
Jump to solution

Gateway appliances reliance on management server

Hello, 

We have a number of 1450's and 1570's connected in a site to site VPN to our primary co-lo VSX firewalls. These are also connected to an MDSM. Should the MDSM become unavailable for a period of time (+12 hours) we find that the 1450's and 1570's will fail to rekey thus taking down their VPN connection, which is less than ideal. 

Is this 'by design'/'unavoidable' or is there something we can do to prevent the gateways from dropping should the management server experience issues? 

Thanks

Mike

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion Champion
Champion
2 weeks ago
Jump to solution

The VPN is going down because certificates are used for IKE Phase 1 authentication; when a rekey occurs the CRL must be retrieved from the SMS/MDS to ensure the certificate has not been revoked.  There is a cache for the CRL on the gateways that will help if the SMS/MDS is down for a short period, but if it is down long enough the cached CRL entries will expire and the VPN breaks at the next rekey.

You can extend the CRL cache timeout or even disable the CRL checking completely as described here:

https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-does-SMB-gateway-CRL-fetching-work/m-p/19...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
3 Replies
the_rock
Legend
Legend
2 weeks ago
Jump to solution

I believe it used to be 24 hours, but might be different now. Is there anything you can do to prevent that? personally, I cant think of anything, because it relies on mgmt server for that sort of communication.

Andy

0 Kudos
Timothy_Hall
Champion Champion
Champion
2 weeks ago
Jump to solution

The VPN is going down because certificates are used for IKE Phase 1 authentication; when a rekey occurs the CRL must be retrieved from the SMS/MDS to ensure the certificate has not been revoked.  There is a cache for the CRL on the gateways that will help if the SMS/MDS is down for a short period, but if it is down long enough the cached CRL entries will expire and the VPN breaks at the next rekey.

You can extend the CRL cache timeout or even disable the CRL checking completely as described here:

https://community.checkpoint.com/t5/SMB-Gateways-Spark/How-does-SMB-gateway-CRL-fetching-work/m-p/19...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Mike-H
Explorer
2 weeks ago
In response to Timothy_Hall
Jump to solution

Thank you, that makes sense. We will look to increase the CRL timeout. 

Much appreciated. 🙂 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events