Could you remove the lifetime parameters of the config.

This config not work for me and I remove the lifetime and the vpn work better.

Regards.

If i understand you correctly, you want me to remove the phase 1 lifetime? If so i cannot do that on our production firewall.

I will check the CP settings but i know PFS is not enabled on the CP side.

Here is part of a debug crypto isakmp output from yesterday.

Jan 28 13:21:35 [IKEv1 DEBUG]: Group = x.y.z.4, IP = x.y.z.4, IKE MM Responder FSM error history (struct &0xd54801f0) , : MM_DONE, EV_ERROR->MM_SND_MSG6_H, EV_SND_MSG_OK>MM_SND_MSG6_H, EV_SND_MSG>MM_SND_MSG6, EV_SND_MSG>MM_BLD_MSG6, EV_ENCRYPT_OK>MM_BLD_MSG6, NullEvent>MM_BLD_MSG6, EV_ENCRYPT_MSG->MM_BLD_MSG6, EV_CHECK_IA

I understood from this that the CP firewall should be responding to this and it does not appear to be.

Thank you.

I think the previous responder might be on to something. You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours).

These commands from the config set the global IPSec timeout value and are unnecessary because they are set to the same value as default:

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

Then you have these commands in the crypto-map overriding the default ipsec timeout of 28800 in favor of 86400 (same timeout specified in the ISAKMP policy):

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

I would try removing the custom IPSec timeout (phase 2) and let it use the default value of 28800 (8 hours). This way, phase 1 and phase 2 won't be attempting to re-negotiate at the same time.

Are both the IKE and IPSec SA timeouts on the Check Point side the same as the ASA?

"You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours)."

This has nothing to do with this.

I would do the following:

a- what is the HFA of the CP firewall? please

show the output of "fw ver".

b- Check the timeout setting on both Cisco

and Checkpoint and make sure they are correct.

CP, by design, default phase I to 1440

minutes and 3600 seconds for phase I and II,

respectively,

c- vpn debug ikeoff

d- vpn debug iketrunc

e- vpn debug ikeon

f- Under the Checkpoint configuration of the

VPN community (I assumed you use Simplfied

mode), select negiotation per host, NOT

SUBNET,

g- push the policy,

Now test the VPN. You can view the debug on

the CP side with IKEView.exe file. It will

tell exactly exactly what goes wrong

Thanks everyone for your responses. We do not control the remote CP firewall so it may take me some time to gather this information.

I have a Checkpoint Secureplatform NGx R65 with

HFA_30. If you want to test your VPN with me,

let me know. Send me your email and we can

chat.