VPN L2L ASA-CheckPoint disconnection

Answered Question
Jun 3rd, 2010

Hi ...

Please your help ...

I've configured a VPN L2L between an ASA5505 and CP2070.

The tunnel is working, we have conectivity between sites, but the tunnel is disconnecting periodically.

When the tunnel fails, we need to make a "clear crypto isakmp sa <tunnel address>" to recover the connection.

I've been testing modifying the lifetime parameters in IKE and IPSec configurations, but the problems persist.

Any suggestion ?

The ASA configuration file is attached.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 06/03/2010 - 10:07

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

m.kafka Fri, 06/04/2010 - 01:37

Hi guigonza,

finding out the reason for a "periodic disconnect" would require debug.

Depending which side disconnects the debugs should be run either on the ASA or the CP.

Which SAs are disconnected, IKE or IPsec? What is the typical/shortest/longest time of survival?

Debug crypto isakmp [detail-level]  or debug crypto ipsec [detail-level] helps you to find the reason. The config alone cannot really explain everything.

Rgds, MiKa

guigonza Fri, 06/04/2010 - 05:35

Thanks for your suggestions.

We checked the CP and ASA configurations, at least the lifetimes parameters.

We reconfigured the same lifetimes parameters on both units and we are testing the behaviour.

The next step is to get the debug in both units on controlled test to see the possible causes.

As soon as I get some results in this test I'll post it.

Thanks a lot.

Todd Pula Fri, 06/04/2010 - 11:23

Crypto debugs from both sides while replicating the problem will be required to isolate further.  I did run into a strange interop issue with Checkpoint once before where the tunnel would fail during a P1 rekey.  The Checkpoint device was incorrectly deleting the P2 SAs during this rekey process resulting in tunnel failure.  Clearing the tunnel from the ASA would restore connectivity.  Checkpoint wound up adding the following to their firewall to resolve.

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

cpstop

cpstart
guigonza Tue, 06/15/2010 - 05:04

Well, after some test and checking the parameters suggested we found the problem.  Both firewalls had differents lifetimes values in IKE phase 1 and 2.  We modified this values and averything is working fine.

Thanks for help ....

Actions

This Discussion