Avatar of Ted James
Ted James
 asked on

VPN troubleshooting

I'm troubleshooting a VPN connection using checkpoint.  I keep getting dropped out from time to time.  Here are the logs from the checkpoint firewall
[28 Oct 7:13:54] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[28 Oct 7:13:54] Client state is connected
[28 Oct 7:13:54] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[28 Oct 7:14:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:14:22] Client state is reconnecting
[28 Oct 7:14:22] Reconnect failed. trying again (2)
[28 Oct 7:15:20] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:15:20] Client state is reconnecting
[28 Oct 7:15:20] Reconnect failed. trying again (2)
[28 Oct 7:16:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:05] Client state is reconnecting
[28 Oct 7:16:05] Reconnect failed. trying again (2)
[28 Oct 7:16:23] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:23] Client state is reconnecting
[28 Oct 7:16:23] Reconnect failed. trying again (2)
[28 Oct 7:17:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:17:02] Client state is reconnecting
[28 Oct 7:17:02] Reconnect failed. trying again (2)

Open in new window

Can someone get me started on the troubleshooting?  What is happening and how can I fix?
Thanks
TroubleshootingVPN

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ted James

ASKER
Is the problem on the other end?  I don't have a view into the other side.
SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
Unfortunately there are several "other ends".  This local Checkpoint FW is terminating about 18 VPNs.  Eight of them are having this problem.  I think it is my end, even though that error message says that the other end is not responding.  That is throwing me off.
Eight of these VPNs are exhibiting this flapping while the other ten are solid.  Thoughts?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
In each case they are able to stand up the VPN.  But then they get dropped.  Happens several times.  Started happening last week.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
All very good ideas.  Some of which I will have to schedule "downtime" as the users are 24/7.

Couple other thoughts:
1.  Could the firewall licenses (encryption licenses or Firewall license) be expiring?  Causing the tunnels to go down for a couple minutes?

2.  Though I haven't verified it, some claimed it happens at roughly the same time as each other,  I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.

3. Not a thought but another impediment to my troubleshooting...  My access to my CP SmartConsole is now being rejected.  When I first logged on yesterday (first time ever) I had to "verify" a fingerprint.  Ignorantly I said "yes".  Apparently I must have been wrong I guess because now I can't get authenticated to get back in.  Is there something I am missing or more I need to do, or I am just fat-fingering it?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
For the firewall firmware, yes?
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
Can anyone point me to a good detailed troubleshooting guide of IPSEC that is not geared to a specific product.  Cisco et al has VPN troubleshooting guides but it is geared towards specific commands and logs specific to the product.  I'd like a generic troubleshooting list.

(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)

thx
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ted James

ASKER
Fixed my CP SmartConsole issues.  Turns out my permissions were not upgraded.

So all good suggestions.  Thank you!
In summary, some things to look at:
1.  Firmware upgrade (at a later time during scheduled maintenance)
2.  Check for inconsistent key lifetimes between both ends.
3.  Look at logs at other end (both sides view).  Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4.  Reconstruct profiles. (John can you be more specific?  Is this user profiles?  tunnel endpoint profiles? What are we talking about? etc.)

Also, what about the possibility of the far end being on a wireless network?

Thanks in advance.  We are meeting tomorrow to discuss our strategy.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Qlemo

Good find, John, that Barracuda manual explains common log messages well enough for most devices.
Ted James

ASKER
Thank you all.  We are scheduling a firmware in the next couple weeks.
It's due for one anyway.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ted James

ASKER
Thank you all.  Very helpful.  I'm not very familiar with the scoring system so I hope I didn't slight anybody.  I'll reach back when we complete the upgrade.
John

You are very welcome and I was happy to assist you.