This question is regarding a Cisco 837 to Checkpoint IPSEC (site-to-site) VPN link. For over a year this configuration has been working perfectly. Our vendor is in the process of upgrading their network and will be ending their use of the Checkpoint that was currently terminating our VPN. They requested we modify the destination PEER address on our side so that we would be terminating into a new Checkpoint.
The only change we had to make in the Cisco 837 was the Destination Peer Address. The VPN came up perfectly.
Upon monitoring the VPN over the past few days since this change, we see the VPN drops every hour, for about 3 minutes. It looks like the two devices are having a problem re-negotiating the SA's prior to the current SA's lifetime expiry (3600 seconds).
We have attempted to verify as many of our settings match on both ends, but we cannot figure out why this is happening.
Attached is a screenshot they provided me of the Checkpoint config, the Cisco 837 (sh ver, sh run) and the output from the Cisco 837 (debug cypto ipsec, debug crypto pki, debug crypto isakmp).
They are pointing the finger at our end stating they have numerous clients on their new Checkpoint and we are the only ones experiencing this issue. I can't believe it is our issue, since the only change we made was the Destination Peer Address. If you have any thoughts or ideas, they would be appreciated.