Lan-to-lan tunnel VPN 3020 problems

Unanswered Question
Mar 14th, 2007
User Badges:

I have a lan-to-lan tunnel between two sites working well but i have an intermitent problem when we connect more than one person from one site (VPN3020) to the same server in the other site (Checkpoint). The tunnel remains ok but there is no application traffic (in an intermitent way). I saw in the VPN logs that there is a continuous renegotiation of the phase 2 just when the problem appears (in the file attached). This log is repeted the same every second. The tunnel is ok in both sides and there is no problem when is used by only one person.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwalchez Tue, 03/20/2007 - 07:08
User Badges:

Check with your internet provider that is there any CAR applied for your internet connection which pertains to bandwidth.

kaachary Wed, 03/21/2007 - 16:19
User Badges:
  • Cisco Employee,

Most probably the network list on concentrator does not match fully with the encryption domain configured on Checkpoint.


If checkpoint is configured on host basis, and your network list is subnet based, you will run into these issues.


*Please rate if helped.


-Kanishka

isa-aston-03 Mon, 07/30/2007 - 03:40
User Badges:

Is this thread still active or did you find a solution? I have just had this problem myself and now have a working VPN.

srivero Mon, 07/30/2007 - 04:36
User Badges:

I didn't find a solution. I have a Check Point firewall and I had to change my Lan to Lan tunnel fron de Cisco VPN to the firewall, where the tunnel works correctly. If you found a solution, please tell me. Thanks.

isa-aston-03 Mon, 07/30/2007 - 05:30
User Badges:

The VPN was failing to initialise in phase two.


The checkpoint was configured to not autosummarise networks. Both ends had EXACTLY the same networks defined - this is where the problem lay. We had a supernet at each end of the VPN. eg:


Cisco

(End A) - 10.10.10.0 / 255.255.254.0


CPnt (security domain)

(End B) - 10.10.20.0 / 255.255.254.0


So according to instructions, configure the EXACT same networks at each end:


In Cisco VPN


local network 10.10.10.0 / 0.0.1.255 (W/card mask)


remote network 10.10.20.0 / 0.0.1.255


now when the IKE negotiation takes place, the Checkpoint end fails it, because it breaks down the supernetted networks into individual class C's


I configured the Cisco VPN to use networks:


local networks

10.10.10.0 / 255.255.255.0

10.10.11.0 / 255.255.255.0


remote networks

10.10.20.0 / 255.255.255.0

10.10.21.0 / 255.255.255.0


Once I'd done that both ends could initiate the VPN and came up stable.


Hope this helps, let me know how you get on.



Actions

This Discussion