I have a VPN tunnel with a Checkpoint, and because of the CheckPoint's unfortunate behavior of supernetting, I've had to use supernets in the crypto map on the ASA. All was well until I decided to modify a setting on CheckPoint to prevent supernetting (ike_use_largest_possible_subnets changed from "true" to "false"). I updated the crypto map and did "clear crypto isakmp sa" and "clear crypto ipsec sa" but I could not get the tunnel to work correctly and had to fall back.
Have any of you been through this and if so, can you share your experience, advice, wisdom, etc.? I do not do much VPN work on the Cisco ASAs so maybe I didn't clear everything properly or didn't do the commands in the right order, or something?
I did not reload the Cisco. Maybe that's what I needed to do???
I did fall back on both the CheckPoint and ASA and the tunnel is up and working, but I see a lot of "duplicate phase 2 packet" messages on the ASA, and on the checkpoint I see a phase 2 packet with the supernet (x.x.x.0/23) then a delete, then another phase 2 packet with the x.x.x.0/24, so I still don't think things are working correctly.
I also tried "debug crypto isakmp" and "debug crypto ipsec" but I don't see any output. I am doing ssh to the Cisco ASA. Where does the output go? Sorry if that's a really stupid question. I did search the forum and Cisco's doc but didn't find anything.
Thanks in advance for any help you can provide.