CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: VPN Intermittent Connectivity

  1. #1
    Join Date
    2017-09-10
    Posts
    38
    Rep Power
    0

    Default VPN Intermittent Connectivity

    Hello Guys

    I have a 12,400 VSX appliance running Gaia R77.30. One of the VS that I have in this appliance is for the L2L VPN tunnels. I have an L2L VPN tunnel with one of our vendors who has Cisco Firewall on their end. The tunnel is Ikev2.

    Now randomly the tunnel is failing with the errors "Peers Message is Unacceptable" or "Initial Exchange Sending Notificaiton to peer: Invalid key Exchange Payload", afetr I see this error on the logs withn few seconds the tunnel is rekeying and establishing the connectivity by itself. But his is happening quite frequently and randomly. Can you anyone please provide me on some suggestions on how I can resolve this particular problem.

    Thanks in advance.

    Ravi

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,216
    Rep Power
    13

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ravindra692 View Post
    Hello Guys

    I have a 12,400 VSX appliance running Gaia R77.30. One of the VS that I have in this appliance is for the L2L VPN tunnels. I have an L2L VPN tunnel with one of our vendors who has Cisco Firewall on their end. The tunnel is Ikev2.

    Now randomly the tunnel is failing with the errors "Peers Message is Unacceptable" or "Initial Exchange Sending Notificaiton to peer: Invalid key Exchange Payload", afetr I see this error on the logs withn few seconds the tunnel is rekeying and establishing the connectivity by itself. But his is happening quite frequently and randomly. Can you anyone please provide me on some suggestions on how I can resolve this particular problem.

    Thanks in advance.

    Ravi
    Make sure the IKE Phase 1 lifetime (expressed in minutes) and IPSEC Phase 2 lifetime (expressed in seconds) match the settings on the Cisco end.

    Make sure the Cisco has their data lifesize set to an unreachably high value.

    Make sure the Cisco end does not have a VPN idle timer set, this setting is separate from the SA lifetime.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2006-09-26
    Posts
    3,149
    Rep Power
    15

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ShadowPeak.com View Post
    Make sure the Cisco end does not have a VPN idle timer set, this setting is separate from the SA lifetime.
    How do you verify this on Cisco devices such as router or ASA? Which show commands?

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,216
    Rep Power
    13

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by cciesec2006 View Post
    How do you verify this on Cisco devices such as router or ASA? Which show commands?
    It is in the group policy, set command is:

    vpn-idle-timeout none

    show command is:

    show run all group-policy | i vpn-idle

    vpn-idle-timeout none
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2017-09-10
    Posts
    38
    Rep Power
    0

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ShadowPeak.com View Post
    Make sure the IKE Phase 1 lifetime (expressed in minutes) and IPSEC Phase 2 lifetime (expressed in seconds) match the settings on the Cisco end.

    Make sure the Cisco has their data lifesize set to an unreachably high value.

    Make sure the Cisco end does not have a VPN idle timer set, this setting is separate from the SA lifetime.

    The Lifetime timers fr both the Phases are a match. The Volume rekey feature has been disabled on the Cisco side. I will check with the VPN idle timer set on Cisco.

  6. #6
    Join Date
    2017-09-10
    Posts
    38
    Rep Power
    0

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ravindra692 View Post
    The Lifetime timers fr both the Phases are a match. The Volume rekey feature has been disabled on the Cisco side. I will check with the VPN idle timer set on Cisco.
    I had to revert back the tunnle to ikev1 to satbilize the connectivity.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,216
    Rep Power
    13

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ravindra692 View Post
    I had to revert back the tunnle to ikev1 to satbilize the connectivity.
    Thanks for the update, IKEv2 is still (relatively) new and can sometimes cause issues with interoperable VPNs.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2006-09-26
    Posts
    3,149
    Rep Power
    15

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by ShadowPeak.com View Post
    Thanks for the update, IKEv2 is still (relatively) new and can sometimes cause issues with interoperable VPNs.
    New? It was released back in 2005. I wouldn't say it is "new". In Internet time, it is like an eternity :-(

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,216
    Rep Power
    13

    Default Re: VPN Intermittent Connectivity

    Quote Originally Posted by cciesec2006 View Post
    New? It was released back in 2005. I wouldn't say it is "new". In Internet time, it is like an eternity :-(
    True, however Check Point did not add support for IKEv2 until R71 circa 2010, and it really didn't start being commonly used until a few years later at least in my experience.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Site-to-Site VPN intermittent Connectivity
    By ravindra692 in forum R77.30
    Replies: 12
    Last Post: 2018-03-07, 16:13
  2. Intermittent DNS Resolving
    By lukmana in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2011-02-15, 22:37
  3. Intermittent DNS Resolving
    By lukmana in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2011-02-04, 00:24
  4. intermittent drop due to No Valid SA
    By decurion in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-05-26, 09:52
  5. VPN failure Intermittent
    By avilT in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-01-08, 01:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •