Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Kanaszka
Collaborator

Question about examining flow of S2S traffic

Morning everyone - Happy Hump Day!  😀

 

Question.

We have an AIO open server running R81.20 at our NJ site.  We recently configured ISP redundancy and it is working as it should.

We have a S2S VPN between our NJ site and our European office.  Their remote peer is also a Check Point.

My colleague in Europe has set up 2 (two) "NJ peer objects" on his side of the tunnel (each one representing one of our ISP circuits) to manage his end of the tunnel.  His management is separate and not part of our environment.   I do not have visibility into his environment.

Our S2S tunnel between NJ and Europe is working fine - but occasionally the tunnel will drop and we will have to delete the tunnel on our end using #vpn tu - option 7 (remote peer).  Then the tunnel will come up again.

He is telling me they are sending out their VPN traffic to our primary circuit IP but they are seeing traffic from our end coming from us via our backup circuit.  This is impossible as our backup circuit is in "backup" mode.  I can verify if I perform a #cpstat fw.

I guess that this may be a "glitch"?  The current backup circuit in NJ was the first and only circuit configured years ago when this gateway was built out.  Our current primary circuit was added late last year. We are using it as primary because it is faster.  So I'm guessing my gateway object in NJ is still associated with the old backup circuit....??  

The isp redundancy script is working fine.  My default route in the Gaia portal matches my primary circuit network.

I'm trying to ensure our S2S traffic between us and our European peer is "synchronous" - meaning while on our "primary " circuit in NJ, traffic is being sent and received on our "primary" circuit and is not getting looped around on our backup circuit first making unnecessary hops.  (Europe => NJ ISP1 = >NJ ISP2 => Europe)

What logs can I look at to view the flow of encrypted traffic?

Thanks guys!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
5 Replies
the_rock
Legend
Legend

Hey mate,

Happy New Year to ya as well, cant believe its 2024, dang : - )

Anyway, can you see if this is enabled from global properties? Also, I recall back in the day, 2nd option I attached also helped (its on gw settings)

Best,

Andy

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos
Joe_Kanaszka
Collaborator

Thanks Andy!  

 

We have the first option enabled already "keep_IKE_SAs".

 

For the second option we currently have "rematch connections".

This setting seems to only apply for policy installs.  In our case, the tunnel will drop without any policy installation occurring, so not sure if this setting is applicable in our case.

 

Thank you though!

 

-Joe

 

0 Kudos
the_rock
Legend
Legend

Hey mate,

Yes I know 2nd shows for policy install, but worked for exact issue like yours for 3 customers I helped in the past for this problem.

Andy

Joe_Kanaszka
Collaborator

Interesting!  Ok - We'll give it a shot.

 

Thank you again Andy.

 

-Joe

0 Kudos
the_rock
Legend
Legend

Hope it helps!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events