ASA 5505 8.0(4) and Check Point NGX R65 L2L IPSEC VPN

Unanswered Question
Jan 29th, 2009

I have a vpn setup between a Cisco ASA 5505 and a CP NGX R65. The CP firewall is the remote side. The primary problem is that when a phase 1 rekey occurs it will often fail. Sometimes after a few hours it will come up on its own. At other times I clear the phase 1 and 2 sa's and the tunnel comes up. We have verified the phase 1 and 2 parameters and both sides match exactly. We have removed the crypto map and reapplied it as well. I've attached the sanitized running config. I would appreciate any help. Thanks for your time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
millerw1 Thu, 01/29/2009 - 08:27

If i understand you correctly, you want me to remove the phase 1 lifetime? If so i cannot do that on our production firewall.

eddie.mitchell@... Thu, 01/29/2009 - 08:38

Do you have 'support for aggressive mode' or 'support key exchange for subnets' enabled in the IKE properties on the Check Point?

What about PFS? Is that enabled on the Check Point side?

I would also try enabling an isakmp debug on the ASA (debug crypto isakmp) and see if you're receiving a specific error during phase 1 negotiations. You can disable the debug by issuing 'undebug all'

Hope this helps.

millerw1 Thu, 01/29/2009 - 08:53

I will check the CP settings but i know PFS is not enabled on the CP side.

Here is part of a debug crypto isakmp output from yesterday.

Jan 28 13:21:35 [IKEv1 DEBUG]: Group = x.y.z.4, IP = x.y.z.4, IKE MM Responder FSM error history (struct &0xd54801f0) , : MM_DONE, EV_ERROR->MM_SND_MSG6_H, EV_SND_MSG_OK>MM_SND_MSG6_H, EV_SND_MSG>MM_SND_MSG6, EV_SND_MSG>MM_BLD_MSG6, EV_ENCRYPT_OK>MM_BLD_MSG6, NullEvent>MM_BLD_MSG6, EV_ENCRYPT_MSG->MM_BLD_MSG6, EV_CHECK_IA

I understood from this that the CP firewall should be responding to this and it does not appear to be.

Thank you.

eddie.mitchell@... Thu, 01/29/2009 - 09:15

I think the previous responder might be on to something. You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours).

These commands from the config set the global IPSec timeout value and are unnecessary because they are set to the same value as default:

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

Then you have these commands in the crypto-map overriding the default ipsec timeout of 28800 in favor of 86400 (same timeout specified in the ISAKMP policy):

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

I would try removing the custom IPSec timeout (phase 2) and let it use the default value of 28800 (8 hours). This way, phase 1 and phase 2 won't be attempting to re-negotiate at the same time.

Are both the IKE and IPSec SA timeouts on the Check Point side the same as the ASA?

cisco24x7 Thu, 01/29/2009 - 09:52

"You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours)."

This has nothing to do with this.

I would do the following:

a- what is the HFA of the CP firewall? please

show the output of "fw ver".

b- Check the timeout setting on both Cisco

and Checkpoint and make sure they are correct.

CP, by design, default phase I to 1440

minutes and 3600 seconds for phase I and II,


c- vpn debug ikeoff

d- vpn debug iketrunc

e- vpn debug ikeon

f- Under the Checkpoint configuration of the

VPN community (I assumed you use Simplfied

mode), select negiotation per host, NOT


g- push the policy,

Now test the VPN. You can view the debug on

the CP side with IKEView.exe file. It will

tell exactly exactly what goes wrong

millerw1 Thu, 01/29/2009 - 10:29

Thanks everyone for your responses. We do not control the remote CP firewall so it may take me some time to gather this information.

cisco24x7 Thu, 01/29/2009 - 10:53

I have a Checkpoint Secureplatform NGx R65 with

HFA_30. If you want to test your VPN with me,

let me know. Send me your email and we can



This Discussion