Cisco PIX compactability with Checkpoint

Unanswered Question
Nov 21st, 2007

Hi All,

We need your assistance

Issue: VPN Pkts get dropped.

1) A Site-to-Site VPN is established b/w Checkpoint & Cisco PIX.

2) Often the connectvitiy Flaps, i.e. the pkst get dropped.

Error:

Pix: Duplicate pkt on Phase 2

Checkpoint: Virtual defragmentation error: Timeout

When checked in Google, the solution is 'caused to due to jumbo packets traversing thru the tunnel' and need to change the MTU size.

We have S-2-S tunnels with multiple customers and have issue with only one customer and he is asking to change the MTU Size. To my knowledge we can only change MTU for an interface and not for tunnel.

Kindly advice me on this.

Regards,

Thebull.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Tue, 11/27/2007 - 14:43

You can change the MTU for a tunnel. Each tunnel has a virtual interface associated with it. You can go to the virtual interface config and specify the required MTU size.

kevin.jones1 Wed, 11/28/2007 - 09:53

You do not need to change anything. What

is the checkpoint version? Is it NG, NG with

AI or NGx? Make sure you use the latest

HotFix Accumulator (HFA) on the checkpoint side.

When in doubt, run "fw ver" and it will tell

the current version on the firewall.

Try to upgrade to the latest HFA first.

if you still has issues, then the next

thing to do is to use dbedit to modify some

parameters on the checkpoint firewall.

Actions

This Discussion