Cisco RA vpn client through a checkpoint

Unanswered Question
Sep 30th, 2009


Possibly a question for a Checkpoint forum but i can't seem to find too much info plus I do not administer the ChkPt.

i have users on a customer site with various versions - mainly 4.7.x but some 5.x which is where i have the problem.

Some 4.7.x clients would get session dropouts with "Lost Service" in the Pix 8.x logs. The ChkPt admin let me know inbound (to customer site) udp-500 was getting droped and I got him to open it up. This has fixed the 4.7 issues.

But the 5.x clients, which I'd like to roll out, still have some problems and the ChkPt admin has seen various udp drops including 1063 - 1065 and 1410. There are probably others but he just looked at a few logs.

The ChkPt does no NATing - it is a pvt WAN link (but VPN client access still required)

Does anyone know:

- What ports 5.x uses and how to force it from the PIX?

- Or a ChkPt rule that allows VPN passthru

- Or if the above is possible considering 5.x seems to use a moving set of ports.

Any help much appreciated,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 10/01/2009 - 13:04


You should only need ISAKMP which is UDP 500 and the ESP Protocol. Depending on your config though you may also need non500-isakmp (UDP 4500).

Hope it helps.

m.surtees Thu, 10/01/2009 - 16:14

Hi Colin,

Yeah that's what I would have thought. But at least one of the 5.x clients seem to do otherwise ... if i believe the log info I got from the ChkPt admin.

For the user it most happens to I've added:


to the .pcf file. She's not the best tester though for reasons I won't go into :)

If it does work - will know in a couple of days as it is intermitant - it is not a very elegant fix as the pcf (without the addition) is out in the wild already.

I was hoping to be able to force it from the PIX termination point.

Thanks anyway,



This Discussion