Support Center > Search Results > SecureKnowledge Details
Site -to-Site VPN Tunnel with a Dynamically Assigned IP (DAIP) SMB Appliance breaks when there is an ISP Redundancy link failover Technical Level
Symptoms
  • The Site-to-Site VPN tunnel between a Check Point Security Gateway and an SMB Appliance running Gaia Embedded OS breaks in this configuration scenario:

    1. The Security Gateway connects to the Internet with one interface
    2. SMB Appliance connects to the Internet through ISP Redundancy:
      • The ISP Redundancy is configured in the Primary/Backup mode
      • The Primary link interface gets a dynamically assigned public IP address (DAIP)
      • The Backup link interface gets a dynamically assigned private IP address, located behind NAT (DAIP)
    3. SMB Appliance is managed with SmartProvisioning
    4. There is an ISP Redundancy failover on the SMB Appliance from the Primary link to the Backup link, or a fallback to the Primary link.
Cause

The Quantum Spark Appliance does not reset the Site-to-Site VPN tunnel automatically after failover between ISP Redundancy links when the VPN tunnel uses NAT-T.

The traffic can pass successfully after a failover from one ISP Redundancy link to another. However,  when the Quick Mode renegotiation occurs without Main Mode preceding it, the VPN Center Gateway cannot resolve the IP Address of the Dynamically Assigned IP DAIP peer and returns an IKE error.

The VPN Center Gateway drops the Quick Mode negotiation Packet 1 with "INVALID-ID-INFORMATION"


Solution
Note: To view this solution you need to Sign In .