The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Traffic stops passing at certain times over the Site to Site VPN between the Check Point Cluster in the High Availability mode and a 3rd party VPN peer
Technical Level
Solution ID
sk172926
Technical Level
Product
IPSec VPN
Version
R80.20 (EOL), R80.30 (EOL), R80.40
Date Created
11-Apr-2021
Last Modified
12-Sep-2021
Symptoms
Traffic stops passing at certain times over the Site to Site VPN between the Check Point Cluster in the High Availability mode and a 3rd party VPN peer
Site to Site VPN tunnel disconnects during IKEv2 renegotiation between the Check Point ClusterXL in the High Availability mode and a 3rd party VPN peer.
Traffic capture (or IKE debug) shows that when the 3rd party VPN peer sends the IKE "Child SA" packet, the Check Point ClusterXL responds with the "Invalid SPI" packet.
Traffic capture (or IKE debug) shows that the Check Point ClusterXL keeps sending the IKE Phase 2 "Child SA" packets with the SPI from the previous IKE negotiation.
The Site to Site VPN tunnel starts passing traffic again in these cases:
After deleting all IPsec+IKE SAs for a given peer on the Check Point ClusterXL in the "vpn tu" CLI menu.
After waiting for 20-30 minutes (depends on the VPN configuration).
Cause
The cluster does not delete the IKE SA correctly during the cluster synchronization.
