This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Paisley
Advisor
‎2019-06-01 04:07 AM

IPSEC site to site VPN fails after R80.20 upgrade

Hi

We have a large number of IPSEC VPN tunnels between our R77.30 gateway clusters.

Yesterday we upgraded one of the remote clusters to R80.20. After the upgrade the tunnel was still working fine, until we pushed policy to the R77.30 cluster late last night.

Now the tunnel will not stay up. If I push the R80.20 cluster it comes up briefly, then fails again.

The error message is 

Auth exchange: Sending notification to peer: Authentication failed MyAuthMethod: Certificates

I have support ticket open, but is there something simple and obvious I am missing?

Thanks

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion
‎2019-06-02 04:51 AM

Do make sure to push the policy on the R77.30 again. We have seen many times during a R77.30 to R77.30 migration, a couple of years ago, that when we had VPN's we needed to at least push twice to those gateways to make sure the tunnels came back.
Regards, Maarten
0 Kudos
Scott_Paisley
Advisor
‎2019-06-02 05:23 AM
In response to Maarten_Sjouw

Thanks

I removed the R80.20 gateway from the VPN, pushed to both gateways, added it back in and pushed again, and now the tunnel is up.

Checkpoint recommendation is to renew the cert, but each of our gateways is involved in multiple VPNs, so we will end up pushing to the whole estate eventually.

0 Kudos
OL
Explorer
‎2019-12-08 06:55 AM
In response to Scott_Paisley

@Scott_Paisley did you find the root cause of this? Could it have been that after upgrade that PFS was turned off?

I just saw similar behaviour going from R80.10 to R80.30. Im pretty sure I had PFS enabled before upgrade. It was disabled after upgrade I think. I reenabled, and it looks more stable.

0 Kudos
Scott_Paisley
Advisor
‎2019-12-09 12:59 AM
In response to OL

it turned out to be an unrelated issue. The Remote gateways were not able to reach the management server to check the validity of the certs. Once that was resolved the tunnels came up

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events