VPN Tunnels are up. But no information comes through, until you reset the VPN tunnels. Firewall bug?
Hi guys
We have VPN tunnels between ourselves and Amazon AWS. They're up and running. Our side has a Checkpoint on version 80.40. Every few days, we're having to reset the VPN tunnels. Information between our side and the AWS side ceases to come through, even though when we ping, we get a response. It's only when we reset the tunnels when this is fixed. We've removed the tunnels at the Checkpoint side and tried again and the same thing happens. Is this possibly a bug or a fault on the firewall or is it something you have seen on VPN tunnels in general?
Thanks
Yashy
We have VPN tunnels between ourselves and Amazon AWS. They're up and running. Our side has a Checkpoint on version 80.40. Every few days, we're having to reset the VPN tunnels. Information between our side and the AWS side ceases to come through, even though when we ping, we get a response. It's only when we reset the tunnels when this is fixed. We've removed the tunnels at the Checkpoint side and tried again and the same thing happens. Is this possibly a bug or a fault on the firewall or is it something you have seen on VPN tunnels in general?
Thanks
Yashy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot for responding 'some one' and 'Elie'.
Okay, so I have looked on the checkpoint and one of the tunnels has a slightly different phase 1 and phase 2 renegotiation timings. I can change that to be exact.
So I just read the link and in the DPD section it says 'Also, in reading the link it says '
The tunnel testing mechanism is the recommended keepalive mechanism for Check Point to Check Point VPN gateways...'. Am I right in assuming that this setting doesn't just apply from Checkpoint to Checkpoint but also from Checkpoint to other non-Checkpoint tunnels? And lastly if I check a box in the keep_IKE_SA's (mine doesn't have a true value, just has a checkbox), then will that not affect ALL vpn tunnels? If I select this, then will it impact all of the tunnels to this firewall by doing this by taking them down?
Thank you again
Okay, so I have looked on the checkpoint and one of the tunnels has a slightly different phase 1 and phase 2 renegotiation timings. I can change that to be exact.
So I just read the link and in the DPD section it says 'Also, in reading the link it says '
The tunnel testing mechanism is the recommended keepalive mechanism for Check Point to Check Point VPN gateways...'. Am I right in assuming that this setting doesn't just apply from Checkpoint to Checkpoint but also from Checkpoint to other non-Checkpoint tunnels? And lastly if I check a box in the keep_IKE_SA's (mine doesn't have a true value, just has a checkbox), then will that not affect ALL vpn tunnels? If I select this, then will it impact all of the tunnels to this firewall by doing this by taking them down?
Thank you again
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/14018s
Search for DPD (dead pear detection)
To change DPD follow the below:
SmartConsole, go to Menu > Global Properties > Advanced > Advanced Configuration > VPN advanced properties > VPN IKE properties.
You have to change keep_IKE_SAs to true.