[vpn-help] Checkpoint Edge 8.0.36x 15 min VPN timeout issue

Matthew Grooms mgrooms at shrew.net
Mon Apr 19 22:44:32 CDT 2010


On 3/31/2010 11:44 AM, Chris Martin wrote:
> I have been testing the Shrew VPN on Windows Vista 64 bit and the VPN
> works great for 15 Min then it stops passing the Traffic between the
> Client and the Checkpoint Embedded VPN.
>
> Any ideas as to why the VPN client will connect work for 15 min then
> stay connected to the tunnel but stop sending the packets encrypted
> every 15 min?
>

What leads you to believe that the client isn't sending encrypted 
traffic anymore? Did you monitor the SA in the VPN trace program to see 
if the byte counters are increasing for outbound traffic? If so, the 
client is still sending encrypted traffic, the gateway just stopped 
processing it for some reason. Have you had a look at the log output on 
the gateway or the client to see if any events coincide with the 
interruption of your traffic?

>
> This is what Checkpoint thinks may be the issue:
>
> Symptoms
> https://sc1.checkpoint.com/sc/images/clear.gifhttps://sc1.checkpoint.com/sc/images/orange_h_line_long.gifhttps://sc1.checkpoint.com/sc/images/clear.gif
>
>     * When Security Gateway uses DHCP server to provide Office Mode IPs,
>       Endpoint Connect client disconnects after 15 minutes.
>     * The following Endpoint Connect log message is displayed: "remote
>       access client IP address and port were changed"
>     * Users may also see the Endpoint Connect log message: "This
>       machine's IP can only be used with Office Mode. Please try to
>       connect using Office Mode."
>
> https://sc1.checkpoint.com/sc/images/clear.gifCause
> https://sc1.checkpoint.com/sc/images/clear.gifhttps://sc1.checkpoint.com/sc/images/orange_h_line_long.gifhttps://sc1.checkpoint.com/sc/images/clear.gifThe
> 3rd Party DHCP server IP lease time is set to 15 minutes. This time is
> less than the IKE Phase1 Renegotiation time period.
> https://sc1.checkpoint.com/sc/images/clear.gifSolution
> https://sc1.checkpoint.com/sc/images/clear.gifhttps://sc1.checkpoint.com/sc/images/orange_h_line_long.gifhttps://sc1.checkpoint.com/sc/images/clear.gifConfigure
> the 3rd Party DHCP server IP lease time to be equivalent to the IKE
> Phase1 Renegotiation time period.
>
> Here is what the IKE renegotiation is
>
> Ike Renegotiation time is 1440 seconds / 24 min (page 644 of users guide)
>

I'm not an expert on how the Checkpoint servers interact with DHCP 
servers for address allocation. Sounds feasible. Are you using an 
external source for address assignment? What is the lease time for the 
address pool being drawn from?

-Matthew



More information about the vpn-help mailing list