Here we could see if the PSK (pre-shared key) is incorrect for example, or if IKE packets are dropped. Then also check the other way around, GWA as destination and GWB as source. Sort traffic with GWA as source, and GWB as destination. The tunnel will then show as down from GWAs perspective since it assumes that GWB will send the tunnel test packages. Another issue could arise if GWB is not a Check point gateway, but the permanent tunnel is activated anyway. So why it is down could be as simple as no traffic has been sent into the tunnel. This means that the tunnel will be down, and not appear in this list until traffic is sent in it.
If we have a tunnel from our Check Point gateway (GWA) to a non-check point gateway (GWB) we cannot use permanent tunnels. The reason for this is packets lost in transit, maybe due to DDoS protections, routing on internet or other issues. We will then see that the tunnel looks to be up from one side, but not the other. However we could be in a situation where packets from GWA to GWB arrive, but not in the opposite direction (GWB to GWA). If GWA does not receive these packets, it will think the tunnel is down. If the “Permanent tunnel” is activated on the VPN community (both gateways need to be Check Point) they will exchange UDP tunnel test packages (Name: tunnel_test, UDP/18234). One issue we could see here is for example that the tunnel is UP from GWA perspective, but DOWN from GWB perspective. Learn how indeni enables pre-emptive maintenance of Check Point Firewalls Now go to “Tunnels on Gateway” again and select GWB (if both gateways are managed by the same management server). Up – Init means that it is trying to establish the tunnel, and will probably mean that in a few seconds the tunnel will go to DOWN state or UP state. Open the SmartView Monitor and go to “Tunnels on Gateway”:įirst select GWA in the list and review if the tunnel in question is UP, DOWN or Up – Init.
(Viewing VPN tunnels in SmartView Monitor requires a monitoring license installed on the management server, and enabled on the gateway itself). Let’s see what this has to say about the tunnel. GWB can either be another one of our gateways or an external one.
Since at least one gateway needs to be a Check Point gateway managed by us, in this example this is GWA. Both could be Check Point Firewalls or one could be another brand. Both gateways could be managed by the same management server, or different ones. In this example the tunnel between GWA (Gateway A) and GWB (Gateway B) is down.
How to Troubleshoot Check Point Firewall VPN Connection Global trends, data powered by Indeni insight.Native Cloud Infrastructure Documentation.
Network Security Infrastructure Documentation.Instructions for getting started with and extending Indeni.Access case studies, reports, datasheets & more.Review your infrastructure-as-code files so you can identify violations earlier in development, when they’re easier to fix.Monitor firewall health and auto-detect issues like misconfigurations or expired licenses before they affect network operations.Network Security Infrastructure Automation.