Check Point Alert of the Week: VPN phase two lifetime mismatch with a VPN peer

This is a real life sample alert from indeni.

Description:

The phase two life time values used by this device and by some of its peers are different. This may cause VPN tunnels to fail after some time has passed from the moment they were set up. It is important to ensure the life time values are equal at both VPN peers for this phase. Note that for the purpose of generating this alert, indeni analyzes the ikemonitor.snoop file.

Affected VPN Peers:

185.4.17.147:
The duration value for the number of SECONDS for which to wait before refreshing the tunnel in this phase is different between this device and its peer. The peer’s value is 86400 and this device’s value is 28800.

Manual Remediation Steps:

Make sure the configuration for the phase two lifetime is a match between this device and its peers.

Read Cisco’s document on this and a Check Point forums thread for more information.

How does this alert work?

indeni checks to see if the IKE traffic is being captured to the ikemonitior.snoop file (this is turned on with “vpn debug mon”). If it is, the snoop file is pulled from the device and analyzed. indeni will parse the packets for both sides of the VPN negotiation and will attempt to determine if a certain parameter in the configuration is causing a problem with the tunnel’s stability.

Leave a Reply