Ted James
asked on
VPN troubleshooting
I'm troubleshooting a VPN connection using checkpoint. I keep getting dropped out from time to time. Here are the logs from the checkpoint firewall
Thanks
[28 Oct 7:13:54] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[28 Oct 7:13:54] Client state is connected
[28 Oct 7:13:54] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[28 Oct 7:14:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:14:22] Client state is reconnecting
[28 Oct 7:14:22] Reconnect failed. trying again (2)
[28 Oct 7:15:20] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:15:20] Client state is reconnecting
[28 Oct 7:15:20] Reconnect failed. trying again (2)
[28 Oct 7:16:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:05] Client state is reconnecting
[28 Oct 7:16:05] Reconnect failed. trying again (2)
[28 Oct 7:16:23] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:23] Client state is reconnecting
[28 Oct 7:16:23] Reconnect failed. trying again (2)
[28 Oct 7:17:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:17:02] Client state is reconnecting
[28 Oct 7:17:02] Reconnect failed. trying again (2)
Thanks
Last Comment
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Unfortunately there are several "other ends". This local Checkpoint FW is terminating about 18 VPNs. Eight of them are having this problem. I think it is my end, even though that error message says that the other end is not responding. That is throwing me off.
Eight of these VPNs are exhibiting this flapping while the other ten are solid. Thoughts?
Eight of these VPNs are exhibiting this flapping while the other ten are solid. Thoughts?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
In each case they are able to stand up the VPN. But then they get dropped. Happens several times. Started happening last week.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
All very good ideas. Some of which I will have to schedule "downtime" as the users are 24/7.
Couple other thoughts:
1. Could the firewall licenses (encryption licenses or Firewall license) be expiring? Causing the tunnels to go down for a couple minutes?
2. Though I haven't verified it, some claimed it happens at roughly the same time as each other, I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.
3. Not a thought but another impediment to my troubleshooting... My access to my CP SmartConsole is now being rejected. When I first logged on yesterday (first time ever) I had to "verify" a fingerprint. Ignorantly I said "yes". Apparently I must have been wrong I guess because now I can't get authenticated to get back in. Is there something I am missing or more I need to do, or I am just fat-fingering it?
Couple other thoughts:
1. Could the firewall licenses (encryption licenses or Firewall license) be expiring? Causing the tunnels to go down for a couple minutes?
2. Though I haven't verified it, some claimed it happens at roughly the same time as each other, I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.
3. Not a thought but another impediment to my troubleshooting... My access to my CP SmartConsole is now being rejected. When I first logged on yesterday (first time ever) I had to "verify" a fingerprint. Ignorantly I said "yes". Apparently I must have been wrong I guess because now I can't get authenticated to get back in. Is there something I am missing or more I need to do, or I am just fat-fingering it?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
For the firewall firmware, yes?
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Can anyone point me to a good detailed troubleshooting guide of IPSEC that is not geared to a specific product. Cisco et al has VPN troubleshooting guides but it is geared towards specific commands and logs specific to the product. I'd like a generic troubleshooting list.
(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)
thx
(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)
thx
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Fixed my CP SmartConsole issues. Turns out my permissions were not upgraded.
So all good suggestions. Thank you!
In summary, some things to look at:
1. Firmware upgrade (at a later time during scheduled maintenance)
2. Check for inconsistent key lifetimes between both ends.
3. Look at logs at other end (both sides view). Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4. Reconstruct profiles. (John can you be more specific? Is this user profiles? tunnel endpoint profiles? What are we talking about? etc.)
Also, what about the possibility of the far end being on a wireless network?
Thanks in advance. We are meeting tomorrow to discuss our strategy.
So all good suggestions. Thank you!
In summary, some things to look at:
1. Firmware upgrade (at a later time during scheduled maintenance)
2. Check for inconsistent key lifetimes between both ends.
3. Look at logs at other end (both sides view). Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4. Reconstruct profiles. (John can you be more specific? Is this user profiles? tunnel endpoint profiles? What are we talking about? etc.)
Also, what about the possibility of the far end being on a wireless network?
Thanks in advance. We are meeting tomorrow to discuss our strategy.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Good find, John, that Barracuda manual explains common log messages well enough for most devices.
ASKER
Thank you all. We are scheduling a firmware in the next couple weeks.
It's due for one anyway.
It's due for one anyway.
ASKER
Thank you all. Very helpful. I'm not very familiar with the scoring system so I hope I didn't slight anybody. I'll reach back when we complete the upgrade.
You are very welcome and I was happy to assist you.
VPN
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
26K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER