CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 2 of 2

Thread: VPN drops *sometimes* when policy is pushed

  1. #1
    Join Date
    2012-10-03
    Posts
    65
    Rep Power
    6

    Default VPN drops *sometimes* when policy is pushed

    Good day all. I have an 8 location network, all connected by private, any to any MPLS. 7 of these locations connect to each other only via VPN, same community. The location where the management server is located, does not use VPN to communicate to the other 7 sites. All gateways are R77.30 gaia.

    I have noticed that at times, when policy is pushed to a location, either immediately, or within a few minutes, that location would become unreachable to our network polling machine (which is located at a location connected over VPN), for a few minutes (up to 10 minutes), and then self-heal. For a while, i would chalk this up the MPLS port going down into that location, but the last few times it happened, i connected to the management server, and was able to connect to the "down" location immediately. So, it seems like this is definitely related to VPN.

    The next time this happens, what should i check on the gateway that is unreachable, that may shed some light on this issue?

    thanks.

    danny

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,051
    Rep Power
    12

    Default Re: VPN drops *sometimes* when policy is pushed

    Quote Originally Posted by DannyW View Post
    Good day all. I have an 8 location network, all connected by private, any to any MPLS. 7 of these locations connect to each other only via VPN, same community. The location where the management server is located, does not use VPN to communicate to the other 7 sites. All gateways are R77.30 gaia.

    I have noticed that at times, when policy is pushed to a location, either immediately, or within a few minutes, that location would become unreachable to our network polling machine (which is located at a location connected over VPN), for a few minutes (up to 10 minutes), and then self-heal. For a while, i would chalk this up the MPLS port going down into that location, but the last few times it happened, i connected to the management server, and was able to connect to the "down" location immediately. So, it seems like this is definitely related to VPN.

    The next time this happens, what should i check on the gateway that is unreachable, that may shed some light on this issue?

    thanks.

    danny
    My guess is that the default flush of all IKE Phase 1 SAs upon policy push is causing this situation. If a IPSEC Phase 2 tunnel happens to expire and the IKE Phase 1 tunnel is stuck or has not been re-established yet due to a recent policy push this behavior can occur.

    Try checking the "keep IKE SAs" checkbox under Policy->Global Properties->SmartDashboard Customization->Configure->VPN Advanced Properties->VPN IKE properties. After setting this bear in mind however that if you make a settings change to the properties of the IKE Phase 1 tunnel in the VPN Community, you will need to manually clear the IKE Phase 1 SA with vpn tu to make those changes take effect, since the IKE Phase 1 tunnel will no longer be restarted upon a policy push.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Similar Threads

  1. lose network connectivity everytime policy is pushed.
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 10
    Last Post: 2010-08-28, 15:24
  2. VPN Drops when applying policy
    By sleepytom in forum Check Point UTM-1 Appliances
    Replies: 8
    Last Post: 2010-01-13, 05:28
  3. VPN Drops on some Policy pushes
    By phollan1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-05-22, 04:58
  4. Undo a bad pushed policy
    By BirdDog in forum Installing And Upgrading
    Replies: 4
    Last Post: 2007-10-19, 13:19
  5. Alerting via email when policy is pushed
    By pvtjoker27 in forum SmartView Tracker
    Replies: 1
    Last Post: 2006-08-19, 02:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •