05-12-2008 11:28 PM - edited 03-11-2019 05:43 AM
Hi Experts,
We have IPSec configured between Cisco ASA and Checkpoint NGX , the tunnel comes down once in a day and re-establishes after 2 hrs, we are facing this issue on a daily basis.
The SAs for phase1 and phase2 for ASA are 86400 secs and 3600 secs respectively .
Any suggestions would be of great help.
Solved! Go to Solution.
05-21-2008 10:12 AM
First of all, I made a mistake. In NGx R60
and higher, checkpoint has changed the location
of the user.def from $FWDIR/lib to $FWDIR/conf
directory. The new name of this file is
user.def.NGX_R60. Go figure.
These files are on the Checkpoint firewall,
not the ASA. The file is an ASCII file and
that you can read it with vi, cat or more.
CCIE Security
05-13-2008 04:02 AM
1- what version on the ASA? 7.x or 8.x?
2- what version of Checkpoint NGx? R60, R60A, R61, R62, R63 or R65?
Do you have any HFAs install?
3- Are you using traditional or simplified mode VPN?
4- Do you have PFS enable on the ASA not Checkpoint or vice versa?
Please check this.
5- What is the encrytion domain on the Checkpoint side? I need to know
ALL the network included behind the Checkpoint firewall
6- what is the interesting traffics behind the ASA? Need to know that
too
7- did you run "vpn debug trunc" to capture the $FWDIR/log/ike.elg file
and view it with IKEView.exe program. It will tell you exactly what
went wrong
8- if using simplified mode, did you use "permanent tunnel"?
9- did you tell checkpoint NOT to supernet everything in it encryption
domain
Please provide these information. It is hard to help you troubleshoot
a problem with so little information to go on.
CCIE Security
05-13-2008 04:59 AM
Hi,
Thanks for responding. Since checkpoint is on the customer end, there is some delay in getting the information from the Checkpoint end.
Please could you let me know what is simplified and traditional mode of VPNs and which one is used frequently.
Thanks
Deepali
05-13-2008 07:38 AM
Most of VPN is setup using Simplified mode.
Traditional mode is the legacy back to the
Checkpoint version 4.1. About 33% of VPN on
checkpoint is setup this way. However,
with NG and higher, Simplified mode is the
default.
05-14-2008 11:36 PM
Hi,
We are observing that the tunnel fails more often now , 3-4 times a day and the tunnel comes up fine only after 5-6 hours sometime.
Thanks
Deepali
05-14-2008 10:05 PM
Hi,
Please see the answers inline.
1- what version on the ASA? 7.x or 8.x?
ASA version 7.2
2- what version of Checkpoint NGx? R60, R60A, R61, R62, R63 or R65?
Do you have any HFAs install?
Checkpoint R61
3- Are you using traditional or simplified mode VPN?
simplified mode
4- Do you have PFS enable on the ASA not Checkpoint or vice versa?
Please check this.
PFS has not been enabled both on checkpoint and ASA
5- What is the encrytion domain on the Checkpoint side? I need to know
ALL the network included behind the Checkpoint firewall
6- what is the interesting traffics behind the ASA? Need to know that too
7- did you run "vpn debug trunc" to capture the $FWDIR/log/ike.elg file
and view it with IKEView.exe program. It will tell you exactly what went wrong
We have collected logs by enabling debug crypto engine and debug crypto isakmp when the tunnel goes down, please find the logs attached.
8- if using simplified mode, did you use "permanent tunnel"?
9- did you tell checkpoint NOT to supernet everything in it encryption domain
No domains are supernetted.
Please let me know if you need anymore info from our end.
Thanks
Deepali
05-15-2008 06:59 PM
Please post the ike.elg file. I won't be to
offer much help without that file.
1- Pix 7.2 is buggy. Why don't you use version
7.0.7 instead?
2- why don't they upgrade the HFA on R61? It
should be at HFA_03.
3- when you say "No domains are supernetted."
How do you know? Without the ike.elg file,
I will know that for sure.
05-16-2008 03:48 AM
I think I've found the solution for you:
Look at this access-list:
access-list 114 extended permit ip host 192.168.170.33 host 172.20.14.10
access-list 114 extended permit ip host 192.168.170.33 host 172.16.2.26
access-list 114 extended permit ip host 192.168.170.38 host 172.16.2.26
access-list 114 extended permit ip 192.168.170.0 255.255.255.0 host 91.102.122.11
access-list 114 extended permit ip 192.168.170.0 255.255.255.0 91.102.122.12 255.255.255.252
Let say these are the hosts and network behind the checkpoint firewall.
Let assume that the network behind the checkpoint firewall is 172.20.14.0/24 and
172.16.2.0/24. Let also assume that the checkpoint also has another VPN with
another customer_X and that customer_X needs to access the whole network 172.20.14.0/24
and 172.16.2.0/24. Therefore, the checkpoint engineer put both network
17.20.14.0/24 and 172.16.2.0/24 into his local encryption domain. However, you do
not need to access the whole network, just a few hosts so he also put a couple of
hosts that you need into the encryption domain as well.
If the cisco side initiate the traffics, it should work because checkpoint
does not care. However, if checkpoint initiates the traffics, it will send the
whole /24 instead of a single host thus causing phase II quick mode error.
The ike.elg file can definitely confirm this.
SOLUTION:
in previous checkpoint version prior to NGx, you have to modify the IKE_largest_possible_network
from "true" to "false" and also the $FWDIR/lib/user.def file. In NGx, that is NOT
necessary. In the VPN community of your particular VPN tunnel, under advance mode, just select
"exchange key per host". That will fix your problem.
Good luck to you
CCIE Security
05-16-2008 10:57 AM
Thanks ! a ton.
I will try the solution you have suggested and update you soon.
Thanks
Deepali
05-21-2008 02:28 AM
The customer has made the change you suggested on the firewall, we need to monitor the tunnel.
Please could you let me know where I can find the $FWDIR/lib/user.def file on ASA and can this be viewed through CLI .
Thanks
Deepali
05-21-2008 10:12 AM
First of all, I made a mistake. In NGx R60
and higher, checkpoint has changed the location
of the user.def from $FWDIR/lib to $FWDIR/conf
directory. The new name of this file is
user.def.NGX_R60. Go figure.
These files are on the Checkpoint firewall,
not the ASA. The file is an ASCII file and
that you can read it with vi, cat or more.
CCIE Security
06-03-2008 11:12 PM
Thank you so much, the problem is fixed and we see that the VPN is not going down any more.
09-23-2019 08:38 AM
Hello I have similar problem that but the version of fw´s from CheckPoint is R80.10 and the Cisco ASA, Id like to know if someone can explain me more about how to fix that problem with this version of CheckPoint, thanks in advacne, best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide