l2l VPN between ASA5510 -- Checkpoint

Unanswered Question
Oct 17th, 2008
User Badges:

Configuration Type:

Site-Site VPN between ASA-5510 (version 8) and Checkpoint firewall

I've gotten layer 1 up and running, however, layer 2 is having problems. I've checked over settings 4 times and it all seems correct, my problem seems to be that it is encrypting traffic but not decrypting.

CFIP-5510ASA-Primary# show crypto ipsec sa

interface: outside

Crypto map tag: vpnmap, seq num: 10, local addr:

access-list planet2ndfirewall permit ip

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (


#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.:, remote crypto endpt.:

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4BBBF828a


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Fri, 10/17/2008 - 09:27
User Badges:
  • Silver, 250 points or more

check for routing of network on the remote side ( )where the packets are decrypting.



Pls arte helpful posts

cisco24x7 Fri, 10/17/2008 - 12:48
User Badges:
  • Silver, 250 points or more

This is what you need to do:

on the checkpoint side:

1- check routing,

2- run "vpn debug ikeoff", "vpn debug trunc", "vpn debug ikeon",

3- fw monitor -e -o pix.cap "accept src==;"

This will allow to look at how these two devices negotiate with each other via ike.elg

file in step 2 and use wireshark to look at

the pix.cap file. You can see why it is not


Easy right?

vtra Fri, 10/17/2008 - 13:24
User Badges:

I hope so, thank you very much for pointing me in the right direction.


This Discussion