- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-22-2015 08:51 AM
Hi Friends,
We have an IPsec VPN tunnel configured with CheckPoint firewall.
Basically, when our Phase 1 expires after 24 hours, if a Phase 2 key is still within its 1 hour lifetime, we receive no response back.
Only after the Phase 2 key expires and a new Phase 1 SA is negotiated that we can pass traffic. This happens every day, exactly when Phase 1 expires:
Please suggest.
Regards
Satish
07-22-2015 02:17 PM
From CKPT's sk42315:
"Based on the IKE debug, see that after the Main Mode key negotiation, the 3rd party VPN device deletes the phase2 SPI, and similarly after the phase2 key negotiation, it deletes the SPI. This is due to a difference in how Check Point and some 3rd party peers handle phase2 keys after a phase1 renegotiation.
Check Point also deletes all phase2 keys for a specific phase1 SA after a phase1 renegotiation. Others continue to use the same phase2 keys until their normal expiry time. This causes something like a race condition where the tunnel will drop for about 10-15 minutes until the 2 peers can get SAs back in sync and the tunnel completes the negotiations.
Solution
This problem was fixed. The fix is included in: Check Point R77.10
Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway).
For lower / other versions, modify the settings on the Check Point Security Gateway to be consistent with the 3rd party settings.
Proceed as follows: On the Check Point Security Gateway, run:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1
Run cpstop Run cpstart
Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the output."
07-23-2015 09:29 AM
Hi Andreip,
we are already running R77.20.
Regards
Satish
07-23-2015 02:45 PM
Hi Satish,
Based on your previous discussions, I assume you already checked the DPD & tunnel monitoring on PANW side.
Cluster on CKPT side ?
To understand which side is persisting on using the expired P1 I would do it the hard way, disabling SecureXL & clearing P1 and running VPND under debug for a while (export TDERROR_ALL_ALL=5 && export VPND_DEBUG=1 && cpstop -fwflag -proc && cpstart) or plain vpn debug trunc & analysis in IKEView on CKPT side & correlating info with debug ike global on debug & tail follow yes mp-log ikemgr.log on PANW side.
Best regards,
andreip
08-05-2015 02:48 PM
Check logs on both sites during the rekey or down time. In checkpoint(cp) just filter by public IP address to see the rekeys in smarviewtracker, in PAN it's showed in the system logs subtype VPN.
Could be several things:
-Cp has support for DPD in your current version, try enabling/disabling DPD on both sites. In checkpoint you need to set up a 'Permanent tunnel'
-Proxy mismatch, checkpoint creates supernetting by default. The most easy thing is to select "One SA per gateway" under "Tunnel management" in your VPN community (checkpoint) and no using proxy-ID in your PA.
Give them a try but the logs will help you out. If that doesn't work try setting up debugs on both sides or opening a support case with the 'Responder' firewall vendor.
regards,
G
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!