Lan-to-lan tunnel VPN 3020 problems

Unanswered Question
Mar 14th, 2007

I have a lan-to-lan tunnel between two sites working well but i have an intermitent problem when we connect more than one person from one site (VPN3020) to the same server in the other site (Checkpoint). The tunnel remains ok but there is no application traffic (in an intermitent way). I saw in the VPN logs that there is a continuous renegotiation of the phase 2 just when the problem appears (in the file attached). This log is repeted the same every second. The tunnel is ok in both sides and there is no problem when is used by only one person.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwalchez Tue, 03/20/2007 - 07:08

Check with your internet provider that is there any CAR applied for your internet connection which pertains to bandwidth.

kaachary Wed, 03/21/2007 - 16:19

Most probably the network list on concentrator does not match fully with the encryption domain configured on Checkpoint.

If checkpoint is configured on host basis, and your network list is subnet based, you will run into these issues.

*Please rate if helped.

-Kanishka

isa-aston-03 Mon, 07/30/2007 - 03:40

Is this thread still active or did you find a solution? I have just had this problem myself and now have a working VPN.

srivero Mon, 07/30/2007 - 04:36

I didn't find a solution. I have a Check Point firewall and I had to change my Lan to Lan tunnel fron de Cisco VPN to the firewall, where the tunnel works correctly. If you found a solution, please tell me. Thanks.

isa-aston-03 Mon, 07/30/2007 - 05:30

The VPN was failing to initialise in phase two.

The checkpoint was configured to not autosummarise networks. Both ends had EXACTLY the same networks defined - this is where the problem lay. We had a supernet at each end of the VPN. eg:

Cisco

(End A) - 10.10.10.0 / 255.255.254.0

CPnt (security domain)

(End B) - 10.10.20.0 / 255.255.254.0

So according to instructions, configure the EXACT same networks at each end:

In Cisco VPN

local network 10.10.10.0 / 0.0.1.255 (W/card mask)

remote network 10.10.20.0 / 0.0.1.255

now when the IKE negotiation takes place, the Checkpoint end fails it, because it breaks down the supernetted networks into individual class C's

I configured the Cisco VPN to use networks:

local networks

10.10.10.0 / 255.255.255.0

10.10.11.0 / 255.255.255.0

remote networks

10.10.20.0 / 255.255.255.0

10.10.21.0 / 255.255.255.0

Once I'd done that both ends could initiate the VPN and came up stable.

Hope this helps, let me know how you get on.

Actions

This Discussion