Help with VPN tunnel with CheckPoint (from ASA 7.2(3))

Unanswered Question
Apr 2nd, 2008
User Badges:

I have a VPN tunnel with a Checkpoint, and because of the CheckPoint's unfortunate behavior of supernetting, I've had to use supernets in the crypto map on the ASA. All was well until I decided to modify a setting on CheckPoint to prevent supernetting (ike_use_largest_possible_subnets changed from "true" to "false"). I updated the crypto map and did "clear crypto isakmp sa" and "clear crypto ipsec sa" but I could not get the tunnel to work correctly and had to fall back.

Have any of you been through this and if so, can you share your experience, advice, wisdom, etc.? I do not do much VPN work on the Cisco ASAs so maybe I didn't clear everything properly or didn't do the commands in the right order, or something?

I did not reload the Cisco. Maybe that's what I needed to do???

I did fall back on both the CheckPoint and ASA and the tunnel is up and working, but I see a lot of "duplicate phase 2 packet" messages on the ASA, and on the checkpoint I see a phase 2 packet with the supernet (x.x.x.0/23) then a delete, then another phase 2 packet with the x.x.x.0/24, so I still don't think things are working correctly.

I also tried "debug crypto isakmp" and "debug crypto ipsec" but I don't see any output. I am doing ssh to the Cisco ASA. Where does the output go? Sorry if that's a really stupid question. I did search the forum and Cisco's doc but didn't find anything.

Thanks in advance for any help you can provide.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Wed, 04/02/2008 - 09:24
User Badges:
  • Silver, 250 points or more

Please provide the following information:

On Checkpoint, provide the following:

-uname -a

-fw ver

-Are you using traditional mode for simplified


a couple of comments:

1- you do not need to reload the ASA. This

is an appliance, not microsoft windows. On

the other hand, you're dealing with ED code

on the ASA. There are known issue with ED


2- Unless you have special reasons to use

traditional mode, use simplified mode because

in NGx simplified mode, you have the ability

to make it negotiate with "hosts". Yes, it

will not be efficient but it will work.

However, this option is only available in

Checkpoint VPN Simplified mode. Furthermore,

if you're using Checkpoint traditional mode,

there are a lot of restrictions to this


3- if you have to use traditional mode, you

can edit the $FWDIR/lib/user.def file and

put in the network in there. I do not like

this but this is the way to do it in

Checkpoint NG Feature Pack 3 and NG with

Application Intelligence R55. In NGx, you do

not need it in simplified mode, but you need

to do this in traditional mode. That being

said, I stop using traditional mode after

checkpoint 4.1 so you have to try it and

see it for yourself.

4- On the ASA, the configuration is very


5- Change everything to checkpoint VPN

simplified mode and it will work for you.

This is a very simple configuration.

CCIE Security

calterio Wed, 04/02/2008 - 09:46
User Badges:

Thanks for replying. We're running R62 (no hfa) with traditional mode. We have over 40 vpn tunnels so it is not an option to just convert to simplified mode. This is a plan but not something I can do immediately to solve this issue.

When ike_use_largest_possible_subnet didn't work, I did try modifying user.def but that also did not work. The var has suggested coding the inoperable device properties to "one tunnel per pair of hosts", which can be done even in traditional mode but does not seem to work (tried it before) so maybe that's your point about trad mode having restrictions.

I have a thread open on the CheckPoint forum on this, but I'm just trying to determine if, on the ASA side, I've done something incorrectly, as I'm not as familiar with VPNs on that device.

I have read about issues with Cisco where a reload seems to resolve issues with the SA after changes are made, and in fact, the changes I made caused issues with another Cisco device (1841) we have a tunnel with (that I don't manage) and the admin for that device had to reset the device to get things working. Clearing the SAs did not fix it.

cisco24x7 Wed, 04/02/2008 - 09:59
User Badges:
  • Silver, 250 points or more

"We're running R62 (no hfa)"

There is NO HFA for R62 even if you want one.

"I am doing ssh to the Cisco ASA. Where does the output go?"

tye 'term mon' and you will see the debug output

"and the admin for that device had to reset the device

to get things working. Clearing the SAs did not fix it."

That is always an option if the other side agrees.

Good luck to you.

calterio Thu, 04/03/2008 - 15:16
User Badges:

Thanks for the replies and the info. Much appreciated!

So am I doing the right clear commands in the right sequence, to completely terminate the tunnel?

clear crypto isakmp sa

clear crypto ipsec sa

If not, what are the correct commands and sequence. Again, this is an ASA. Thanks!


This Discussion