IPSEC sockets going down & restarting

Unanswered Question
May 8th, 2008
User Badges:

We have built an IPSEC tunnel between a CheckPoint firewall and a Cisco 3725 router. Every 5 minutes a server inside the firewall sends a "keepalive" packet to a server inside the router. The server logs a socket error indicating that the IPSEC socket has gone down. The server then goes through the effort to tear down his end of the tunnel,

re-exchange keys and bring up the socket.

Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fouzi Thu, 05/08/2008 - 08:33
User Badges:

you can send debug??

type command "debug crypto isakmp sa" in cisco router

netosl Thu, 05/08/2008 - 08:47
User Badges:

We are running 12-3.6b on the router and the "debug crypto isakmp sa" command is not available. I do have "debug crypto isakmp error" available and will run that.

GRAEME DANIELSON Thu, 05/08/2008 - 12:24
User Badges:

Just to be clear; where does the IPsec tunnel terminate? Is the IPsec tunnel between the router and firewall or is it between the two servers?

From what you are saying (server IPsec sockets, and server exchanging keys) it sounds like the tunnel endpoints are the servers? In this case the firewall and router just need to pass the traffic and not actively participate in IPsec i.e. the "show crypto ..." commands won't show anything meaningful.

If on the other hand the tunnel is between the router and firewall the servers would effectively have no knowledge of the IPsec tunnel. The tunnel is just another layer3 IP hop in the cloud between the servers.

cisco24x7 Thu, 05/08/2008 - 20:32
User Badges:
  • Silver, 250 points or more

I need the following information before I can help you:

On the Checkpoint firewall:

1- what is the platform? Nokia, Secureplatform, Windows, Solaris?

If the answer is windows or solaris, I will not be able to help you

since I hate both solaris and windows

2- show me the "uname -a" output and "fw ver" output

3- what is the phase I and II timeout setting on the Checkpoint

side? The default timeout setting on the checkpoint is 1440 minutes

for phase I and 3600 seconds for phase II

4- Are you using traditional mode or simplified mode?

5- what is the network(s) behind the checkpoint firewall?

I need you to list all of the network behind the firewall.

6- Are you using the latest HFAs on the firewall?

On the Cisco side:

1- what is the phase I and II timeout setting on the


I have an identical setup like yours between a Checkpoint

NGx R65 and Cisco IOS router with IOS 12.2(15)T17 and it works

fine for the last three years.

Please provide more information and a diagram so that I can

help you troubleshoot it.


This Discussion