First time poster, so please be gentle and correct me if there's Server Fault etiquette I'm missing.

We have two CheckPoint edge devices at sites A & B, independently managed, connecting to two Amazon private clouds. In both cases, the two Amazon VPCs are in the same community on the CheckPoint device. A VPN tunnel exists between the two CheckPoint devices as well.

Between Sites A & B and the Amazon VPC in Northern Virigina, we are unable to keep more than one tunnel up. Both will come up, but tunnel 2 will drop an hour after initiation and will not come back up while tunnel 1 is up. We believe the 1-hour period is due to IPsec phase 2 renegotiation, but can't be sure. On our side, we see the tunnel 2 remote endpoint as not responding to phase 2 negotiation.

Between Sites A & B and the Amazon VPC in Oregon, we have no issues. Both tunnels are up and fail over properly.

The CheckPoint gateways are using domain-based VPNs. According to CheckPoint's advice to Amazon, this won't work. Yet, in Oregon, it does.

We've pursued this with Amazon and, despite the fact it's working in Oregon, they've refused to troubleshoot with us further.

Can anyone suggest anything we can do to try to get this stabilized? Going to route-based VPNs is not an option for us.