ASA5520 to Checkpoint Intermitant IPSEC Connections

Unanswered Question
Mar 3rd, 2009

I have a VPN tunnel connected between an ASA5520 and Checkpoint firewall.

The issue is that Connectivity has been working ok. Then connectivity fails. The remote end targets an xlate on the ASA and Checking the ASA xlate there has been no hits although the other 3 connections using the same src/dst subnet are still working. The ipsec acl is setup for the whole subnet at both ends, and the logs provided from the Checkpoint shows attempts to connect. Has anybody suffered a similiar issue?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Tue, 03/03/2009 - 03:39

more information is needed:

1- timeout for phase I & II settings identical on both Checkpoint and ASA? What is the timeout settings of Phase I & II on the ASA?

2- Simplfied or Traditional mode VPN on checkpoint?

3- What is the version of Checkpoint? NG, NG with AI R55 or NGx? "uname -a" and "fw ver" will tell you the version

4- Are you running the most recent version of Checkpoint HFA? Does not have to be the lastest but should be recently. For example, the latest release for NGx R65 is HFA_40 so you should be running HFA_30

5- If you're using Simplified mode VPN, do you exchange key per subnets, per hosts, etc...? Which one did you choose? This could result in what you're seeing.

6- run debug 'vpn debug ikeon" on the checkpoint side. Then grab the $FWDIR/log/ike.elg file. Use IKEView.exe to view the debug, it will tell you exactly where you go wrong.

stuartngilson Tue, 03/03/2009 - 05:20

Sorry i probably did not explain this very well. The VPN tunnel remains established no problems with other connectivity working http mq and ftp.

We then have another FTP connection, which is working with no problems, then it is reported as failed.

The VPN tunnel is still established and the other connections through the tunnel still work. But this FTP connection is not working.

The remote end advises that from there checkpoint logs they can see traffic hitting there rules and going into the tunnel, but we do not see traffic coming into our ASA, as i cannot see a hit on our xlate address that they target.

Then all of a sudden it will start working with no changes being done at either end.

The access-lists applied to the tunnel are for the whole subnet and this is the same at both ends.

JamesLuther Tue, 03/03/2009 - 04:49


You mentioned that the ipsec ACL is for the whole subnet at both ends. However has the VPN actually negotiated SA's based on the network or based on hosts?

You can check this in the Checkpoint log or using "sh crypto ipsec sa".

If they really have negotiated SA's for the whole network then it doesn't sound like a VPN issue. If it's host based SA's then it is a VPN issue (first thing to check is the timers).


cisco24x7 Tue, 03/03/2009 - 05:41

Checkpoint log may not show the issue. I will re-iterate what I said earlier:

- checkpoint your phase I & II timeout settings on both sides,

- make sure your encryption domain matches on both sides. Checkpoint, by default, will super-net the network,

- run tcpdump on the inside interface of the checkpoint firewall, that way, you will see the traffics in clear text after it gets decrypted by the CP firewall,

- run "vpn debug ikeon" and decode the IPSec negotiation phase. Use IKEView to read it,

- You really don't know until you can view the ike.elg output.

Last but not least, it may be an interoperability issue.

JamesLuther Tue, 03/03/2009 - 06:33

If SA's have been negotiated (which they have to send some traffic) then the Checkpoint log will show the details of the SA.

JamesLuther Tue, 03/03/2009 - 06:40

It sounds to me as if the most likely reason is that the SA's are actually host based and the Cisco end is deleting the SA before the Checkpoint end (you should see some invalid SPI errors on the Cisco end)

This is probably due to the Phase 2 timers not matching, or more likely the Cisco is expiring the SA based on MB of traffic (FTP connection right?) whereas the Checkpoint isn't

The result is Checkpoint carries on sending encrypted data and Cisco drops it. After the Checkpoint rotates it's phase 1 key it all starts working again.


stuartngilson Wed, 03/04/2009 - 07:53


When you say expiring the SA based on MB of traffic, I take it by MB you mean megabyte's if so do you mean the ASA has a limitation set on the amount of data it will pass per SA, if yes how to you view/change this?

stuartngilson Wed, 03/04/2009 - 08:04


Ignore my last question i now realise you mean if we are rekey on time or amount of data.


This Discussion