Connection to Remote Edge site failing.

[tnorton]

Periodically, we lose connectivity to our remote sites. We get the usual errors related to sk149423 etc. A closer look at the log files shows some of the following errors: "encryption fail reason: Back connection to inactive DAIP" "IKE: Main Mode cannot initiate negotiation with a DAIP object" The only way we can get this resolved, is for someone at the other end (behind the EDGE) to initiate a connection of some sort across the VPN. Once that happens, the VPN seems to reset itself somehow and things start to work again....temporarily. Again, after a random amount of time it disconnects again. Any help would be greatly appreciated.

[dantro]

Please tell us more about the configuration of your remote sites (UTM-1 Edge), central configuration (SmartCenter Server) and your VPN setup (permanent tunnels etc.)

[tnorton]

The sites in question are using VPN Edge X16 devices.

They are centrally managed via Smart Center (NG AI HFA_R55_20), and are permanent site-to-site tunnels.

These remote sites sometimes have little to no activity on the Lan for extended periods (hours, sometimes days).

[th0i3]

Please advice if you are running the latest firmware on the Edge and also the latest libsw files on your SmartCenter Server.

[tnorton]

We are running 7.0.48 on the Edge devices, and the lib files are all up to date. We have another site with 7.0.48 which is working fine, but we always have a lot of lan activity at that site.

[dantro]

Please update your firmware and libsw libraries to 7.5.55 and tell us more about your configuration. Have you read the UTM-1 Edges FAQ?

Q: Why do VPN connections to remote sites using UTM-1 Edges (configured as DAIP gateways with dynamic IP address) sometimes fail?
A: When a UTM-1 Edge changes its IP address, the Corporate Office gateway does not detect the IP address change until the UTM-1 Edge reports it to the Service Center. The default value for this periodic status update is 20 minutes (SmartDashboard > Policy > Global Properties > VPN-1 UTM Edge Gateway > General Configuration). Check Point recommends to configure permanent VPN tunnels for each VPN community containing DAIP UTM-1 Edges. This ensures that in case the IP address changes your UTM-1 Edge will automatically re-establish the VPN tunnel again. (sk31477, sk33238)

[tnorton]

Thanks for the info. However, I cannot move to 7.5.x, as I am still on AI R55. I do plan to upgrade to NGX and 7.5, but not for several months at best. Also, can you provide more information on what is defined as a "permanent" tunnel? I believed that is what I currently have setup. I have established a VPN tunnel to the SmartCenter server, which is my main firewall. In the Edge Portal I have a VPN that was automatically called "Enterprise". Do I have to establish a second VPN to that same Firewall? -tn.

[dantro]

In your VPN community you can configure permanent VPN tunnels under 'Tunnel Management'.

Quote:

Originally Posted by tnorton

Do I have to establish a second VPN to that same Firewall? -tn.

No.

[tnorton]

Unfortunately this is not an option for me, as I am not running NGX. I am running AI R55, and that option is not available.