Checkpoint VPN to Cisco ASA

Unanswered Question
Mar 21st, 2007
User Badges:

Hi all,

We have some working tunnels between a Checkpoint box and a Cisco ASA. However despite this we are still seeing lots of errors for:

Rejecting Ipsec Tunnel: no matching crypto map

QM FSM error

Removing peer from correlator table failed, no match!

These all show a source address of the Checkpoint peer. This is despite phase 1 and phase 2 being established already and communication occuring properly.

Is there something that the Checkpoint unit does (tunnel check traffic for example) that is causing these errors?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dsweeny Fri, 03/30/2007 - 06:42
User Badges:

This sample configration demonstrates how to form an IPSec tunnel with pre-shared keys to join two private networks. In our example, the joined networks are the 192.168.1.X private network inside the Cisco Secure Pix Firewall (PIX) and the 10.32.50.X private network inside the Checkpoint. It is assumed that traffic from inside the PIX and inside the Checkpoint 4.1 Firewall to the Internet (represented here by the 172.18.124.X networks) flows prior to beginning this configuration.

jason.scott Fri, 03/30/2007 - 07:45
User Badges:

Thank you. The tunnels were coming up however the checkpoint box kept trying to build another ipsec session inside the tunnel. This is because the Checkpoint box was configured to send tunnel test packets. Adding in an ACL for interesting traffic to permit the Checkpoint peer to Cisco peer allows this ipsec session to be created and the messages have stopped.

Presumably the Checkpoint box could be configured to not send these packets as well.

pearsonjl Tue, 02/05/2008 - 08:12
User Badges:

Could you provide some more detail on this fix, I am having the same problem between a Checkpoint and our new ASA. Tunnel works but I get errors and users do experience some session issues to a server.

omahaperformingarts Wed, 10/06/2010 - 10:34
User Badges:

As this post is almost 4 years old, this is just a shot in the dark.

The interesting ACL for your solution was what? ESP, IP


This Discussion