We help IT Professionals succeed at work.

VPN troubleshooting

Ted James
Ted James asked
on
772 Views
Last Modified: 2018-11-20
I'm troubleshooting a VPN connection using checkpoint.  I keep getting dropped out from time to time.  Here are the logs from the checkpoint firewall
[28 Oct 7:13:54] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[28 Oct 7:13:54] Client state is connected
[28 Oct 7:13:54] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[28 Oct 7:14:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:14:22] Client state is reconnecting
[28 Oct 7:14:22] Reconnect failed. trying again (2)
[28 Oct 7:15:20] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:15:20] Client state is reconnecting
[28 Oct 7:15:20] Reconnect failed. trying again (2)
[28 Oct 7:16:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:05] Client state is reconnecting
[28 Oct 7:16:05] Reconnect failed. trying again (2)
[28 Oct 7:16:23] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:23] Client state is reconnecting
[28 Oct 7:16:23] Reconnect failed. trying again (2)
[28 Oct 7:17:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:17:02] Client state is reconnecting
[28 Oct 7:17:02] Reconnect failed. trying again (2)

Open in new window

Can someone get me started on the troubleshooting?  What is happening and how can I fix?
Thanks
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Is the problem on the other end?  I don't have a view into the other side.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
bbaoIT Consultant
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Unfortunately there are several "other ends".  This local Checkpoint FW is terminating about 18 VPNs.  Eight of them are having this problem.  I think it is my end, even though that error message says that the other end is not responding.  That is throwing me off.
Eight of these VPNs are exhibiting this flapping while the other ten are solid.  Thoughts?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
In each case they are able to stand up the VPN.  But then they get dropped.  Happens several times.  Started happening last week.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
bbaoIT Consultant
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
All very good ideas.  Some of which I will have to schedule "downtime" as the users are 24/7.

Couple other thoughts:
1.  Could the firewall licenses (encryption licenses or Firewall license) be expiring?  Causing the tunnels to go down for a couple minutes?

2.  Though I haven't verified it, some claimed it happens at roughly the same time as each other,  I haven't verified but maybe it reflects exceeding a certain limit? Or a throughput issue?.

3. Not a thought but another impediment to my troubleshooting...  My access to my CP SmartConsole is now being rejected.  When I first logged on yesterday (first time ever) I had to "verify" a fingerprint.  Ignorantly I said "yes".  Apparently I must have been wrong I guess because now I can't get authenticated to get back in.  Is there something I am missing or more I need to do, or I am just fat-fingering it?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
For the firewall firmware, yes?
It makes sense since the firewalls haven't been touched in over a year, and problems are only surfacing now.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Can anyone point me to a good detailed troubleshooting guide of IPSEC that is not geared to a specific product.  Cisco et al has VPN troubleshooting guides but it is geared towards specific commands and logs specific to the product.  I'd like a generic troubleshooting list.

(Many of my endpoints (far end) are not Checkpoint, I don't even know for sure what endpoint they have)

thx
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Fixed my CP SmartConsole issues.  Turns out my permissions were not upgraded.

So all good suggestions.  Thank you!
In summary, some things to look at:
1.  Firmware upgrade (at a later time during scheduled maintenance)
2.  Check for inconsistent key lifetimes between both ends.
3.  Look at logs at other end (both sides view).  Going to be difficult because the other end person would probably not be technical enough and I don't own that termination point.
4.  Reconstruct profiles. (John can you be more specific?  Is this user profiles?  tunnel endpoint profiles? What are we talking about? etc.)

Also, what about the possibility of the far end being on a wireless network?

Thanks in advance.  We are meeting tomorrow to discuss our strategy.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Good find, John, that Barracuda manual explains common log messages well enough for most devices.

Author

Commented:
Thank you all.  We are scheduling a firmware in the next couple weeks.
It's due for one anyway.

Author

Commented:
Thank you all.  Very helpful.  I'm not very familiar with the scoring system so I hope I didn't slight anybody.  I'll reach back when we complete the upgrade.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are very welcome and I was happy to assist you.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions