Hi,

Thanks for responding. Since checkpoint is on the customer end, there is some delay in getting the information from the Checkpoint end.

Please could you let me know what is simplified and traditional mode of VPNs and which one is used frequently.

Thanks

Deepali

Most of VPN is setup using Simplified mode.

Traditional mode is the legacy back to the

Checkpoint version 4.1. About 33% of VPN on

checkpoint is setup this way. However,

with NG and higher, Simplified mode is the

default.

Hi,

We are observing that the tunnel fails more often now , 3-4 times a day and the tunnel comes up fine only after 5-6 hours sometime.

Thanks

Deepali

Hi,

Please see the answers inline.

1- what version on the ASA? 7.x or 8.x?

ASA version 7.2

2- what version of Checkpoint NGx? R60, R60A, R61, R62, R63 or R65?

Do you have any HFAs install?

Checkpoint R61

3- Are you using traditional or simplified mode VPN?

simplified mode

4- Do you have PFS enable on the ASA not Checkpoint or vice versa?

Please check this.

PFS has not been enabled both on checkpoint and ASA

5- What is the encrytion domain on the Checkpoint side? I need to know

ALL the network included behind the Checkpoint firewall

6- what is the interesting traffics behind the ASA? Need to know that too

7- did you run "vpn debug trunc" to capture the $FWDIR/log/ike.elg file

and view it with IKEView.exe program. It will tell you exactly what went wrong

We have collected logs by enabling debug crypto engine and debug crypto isakmp when the tunnel goes down, please find the logs attached.

8- if using simplified mode, did you use "permanent tunnel"?

9- did you tell checkpoint NOT to supernet everything in it encryption domain

No domains are supernetted.

Please let me know if you need anymore info from our end.

Thanks

Deepali

Please post the ike.elg file. I won't be to

offer much help without that file.

1- Pix 7.2 is buggy. Why don't you use version

7.0.7 instead?

2- why don't they upgrade the HFA on R61? It

should be at HFA_03.

3- when you say "No domains are supernetted."

How do you know? Without the ike.elg file,

I will know that for sure.

I think I've found the solution for you:

Look at this access-list:

access-list 114 extended permit ip host 192.168.170.33 host 172.20.14.10

access-list 114 extended permit ip host 192.168.170.33 host 172.16.2.26

access-list 114 extended permit ip host 192.168.170.38 host 172.16.2.26

access-list 114 extended permit ip 192.168.170.0 255.255.255.0 host 91.102.122.11

access-list 114 extended permit ip 192.168.170.0 255.255.255.0 91.102.122.12 255.255.255.252

Let say these are the hosts and network behind the checkpoint firewall.

Let assume that the network behind the checkpoint firewall is 172.20.14.0/24 and

172.16.2.0/24. Let also assume that the checkpoint also has another VPN with

another customer_X and that customer_X needs to access the whole network 172.20.14.0/24

and 172.16.2.0/24. Therefore, the checkpoint engineer put both network

17.20.14.0/24 and 172.16.2.0/24 into his local encryption domain. However, you do

not need to access the whole network, just a few hosts so he also put a couple of

hosts that you need into the encryption domain as well.

If the cisco side initiate the traffics, it should work because checkpoint

does not care. However, if checkpoint initiates the traffics, it will send the

whole /24 instead of a single host thus causing phase II quick mode error.

The ike.elg file can definitely confirm this.

SOLUTION:

in previous checkpoint version prior to NGx, you have to modify the IKE_largest_possible_network

from "true" to "false" and also the $FWDIR/lib/user.def file. In NGx, that is NOT

necessary. In the VPN community of your particular VPN tunnel, under advance mode, just select

"exchange key per host". That will fix your problem.

Good luck to you

CCIE Security

Thanks ! a ton.

I will try the solution you have suggested and update you soon.

Thanks

Deepali

The customer has made the change you suggested on the firewall, we need to monitor the tunnel.

Please could you let me know where I can find the $FWDIR/lib/user.def file on ASA and can this be viewed through CLI .

Thanks

Deepali

Thank you so much, the problem is fixed and we see that the VPN is not going down any more.

Hello I have similar problem that but the version of fw´s from CheckPoint is R80.10 and the Cisco ASA, Id like to know if someone can explain me more about how to fix that problem with this version of CheckPoint, thanks in advacne, best regards.