Hi Pete,
We have the same configuration and the same problem.
I have tracked it down to whenever the base.def changes (e.g. mgt
version upgrades/hot fixes, changes to implied rules, SmartDefense).
The next policy push after the change kills the GRE tunnel.
Disabling both ends of the GRE tunnel for 10 minutes will allow it to
come back, so will restarting the firewall software on the gateway.
I've see it with FP3 and NGAI R55 all hotfixes.
I had a call open with Checkpoint for months but they never managed to
fix it.
If you manage to find a solution please let me know.
Thanks
John
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Peter
Goodridge
Sent: 16 November 2004 14:56
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] GRE/IPIP tunnels stop working
Hi,
We have multiple sites with both firewalls, and WAN
connections. We run GRE tunnels between Cisco WAN
routers over the Checkpoint VPN as a failover for when
the WAN goes down.
This all works fine. However; every couple of weeks
the VPN starts dropping the tunnel traffic. If we
change from GRE encapsulation to IPIP encapsulation it
starts working again. However; in a few weeks the
tunnels will start dropping the IPIP traffic, and we
switch back to GRE and are good to go for a while
again.
This starting happening sometime after we upgraded to
FP3 from version 4.1. We are currently running AI R55
on linux platforms. The error in the log when this
happpens is usually "no valid SA". When the tunnel
traffic is being dropped we can ping to/from exactly
the same IP addresses and the ICMP is
encrypted/decrypted just fine.
Any ideas?
THX,
Pete Goodridge
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
