Cisco 837 <-> Checkpoint IPSEC VPN (drops every hour)

Unanswered Question

This question is regarding a Cisco 837 to Checkpoint IPSEC (site-to-site) VPN link. For over a year this configuration has been working perfectly. Our vendor is in the process of upgrading their network and will be ending their use of the Checkpoint that was currently terminating our VPN. They requested we modify the destination PEER address on our side so that we would be terminating into a new Checkpoint.

The only change we had to make in the Cisco 837 was the Destination Peer Address. The VPN came up perfectly.

Upon monitoring the VPN over the past few days since this change, we see the VPN drops every hour, for about 3 minutes. It looks like the two devices are having a problem re-negotiating the SA's prior to the current SA's lifetime expiry (3600 seconds).

We have attempted to verify as many of our settings match on both ends, but we cannot figure out why this is happening.

Attached is a screenshot they provided me of the Checkpoint config, the Cisco 837 (sh ver, sh run) and the output from the Cisco 837 (debug cypto ipsec, debug crypto pki, debug crypto isakmp).

They are pointing the finger at our end stating they have numerous clients on their new Checkpoint and we are the only ones experiencing this issue. I can't believe it is our issue, since the only change we made was the Destination Peer Address. If you have any thoughts or ideas, they would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Indeed, I verified my Phase 1 and Phase 2 matched their screenshot for their configs. I guess the default values don't show up in the running config, but I typed them in again, just to make sure they matched.

They did give me more information with regards to their other clients. Most people are connecting with PIX 501's, ASA5505's, Sonicwalls. I am the only one connecting with a router.

I can not find in the C837 where Agressive Mode can be toggled, and that last debug had the message:

"peer does not do paranoid keepalives"

has me thinking the C837 is attempting Agressive mode. So tonight, they are going to turn Agressive Mode back on in their Checkpoint config, to see if that resolves it.

If not, I guess our only other option is to add in a PIX or ASA device. It is just frustrating to spend money on something that used to work before they had us change PEERS.

cisco24x7 Wed, 02/20/2008 - 11:14
User Badges:
  • Silver, 250 points or more

1- what version of Checkpoint firewall?

NG Feature Pack 3, NG with Application Intelligence R55, NGx?

2- What is the level of HFA is on the firewalls?

uname -a, fw ver, etc.

3- Active/Active or Active/Standby on Checkpoint?

4- Nokia ipso clustering, VRRP or ClusterXL?

When you said they move the VPN peer from

one checkpoint to another checkpoint. Are they running the same version of checkpoint

as specified in 1,2,3 and 4 above?

There are known issues between Checkpoint

and Cisco VPN. It's hard to troubleshoot

something without having more information.

CCIE Security

Since I have no way of knowing their side of things, I forwarded this question to them, and this is their response:

--------begin response-------

1. Attachment (checkpoint-pe.jpg)

2. Attachment (checkpoint-ver.jpg)

3. I don't know this one

4. We are not using clustering.

The Customer was connect to a Checkpoint FW running 4.1

We move the user to a Nokia IP330 running FP2 checkpoint NG in traditional mode

I have a screen shot of the version and build number

--------end response-------

Here is a little more information from their (Check Point) side:

----From their Check Point Guy----

Please have the Cisco guy go over his config again.

The debug that you gave me shows that the Cisco is initiating a connection with the following parameters:

Transform Payload - ESP_3DES

Encapsulation Mode: Tunnel

SA Life Type: Seconds

SA Life Duration: 3600

SA Life Type: KiloBytes

SA Life Duration: 4608000

Authentication Alg: HMAC-SHA1

Note the second set of SA Life Type/Duration parameters.

This is negotiated and accepted, then a little while later, the SA-Delete message is sent.


cisco24x7 Wed, 02/20/2008 - 17:22
User Badges:
  • Silver, 250 points or more

"The Customer was connect to a Checkpoint FW running 4.1"

"We move the user to a Nokia IP330 running FP2 checkpoint NG in traditional mode

I have a screen shot of the version and build number"

Both 4.1 and NG Feature Pack 2 are no

longer supported by Checkpoint since 2006.

Even Checkpoint NG Feature Pack 3 is no

longer supported. Checkpoint 4.1 is actually

quite stable. That's why you didn't have


There are over 800 bugs in NG Feature Pack 2.

I am willing to bet if the Checkpoint

admin upgrades from NG Feature Pack 2 to

NG Feature Pack 3 with HFA_327, your problem

will be solved.


This Discussion