We have issue with VPN l2l dropping after PHASE 1 rekeying process.
VPN is establishing without any problems with initialization traffic from both local sites.
But when it comes to rekeying Phase 1(ASA is the initiator of rekeying process) then:
1.New PHASE 1 rekey process is established properly.
2.ASA sends message to CHECKPOINT to delete old Phase 1 SAs
3.Checkpoint answers to ASA to also delete old Phase 2 SAs and here is the problem.
4.ASA receives this message ald deletes old Phase 2 SAs
5.PHASE 2 is created from the begining, but current tcp connections between local sites are dropped
Phase 1 , and Phase 2 idle timers were setted to the same values at both ends.
Currently we use 14400s for Phase 1 and 1800s for Phase2 and this issue appears every 3 hours(75% of max idle time)
Pings are running from ASA's local subnet host to Checkpint's local subnet host every 60 seconds to keep connection running.
I have found strange thing:
Sometimes first Phase1 rekey process is working(without loosing old Phase2 SAs and the only difference in whole rekey process is in flags in logs:
good - 13:37:24 %ASA-7-713906: Group = B.B.B.B, IP = B.B.B.B, IKE SA MM:6cf559de terminating: flags 0x01000006, refcnt 0, tuncnt 0
bad - 16:37:23 %ASA-7-713906: Group = B.B.B.B, IP = B.B.B.B, IKE SA MM:3b57d414 terminating: flags 0x01000026, refcnt 0, tuncnt 0
ASA 5520 with failover active/standby, soft 7.08
Checkpoint NGX R65 HFA50 (latest R65 version)
But this problem appeared also with ASA 7.07,newest ASA 8, and some older checkpoint software
ASA sample log included in attachements:
It looks like it was some software bug, but I need expoert opinion about that?
Maybe someone have had similar problem ?