cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2077
Views
0
Helpful
5
Replies

VPN L2L ASA-CheckPoint disconnection

guigonza
Level 1
Level 1

Hi ...

Please your help ...

I've configured a VPN L2L between an ASA5505 and CP2070.

The tunnel is working, we have conectivity between sites, but the tunnel is disconnecting periodically.

When the tunnel fails, we need to make a "clear crypto isakmp sa <tunnel address>" to recover the connection.

I've been testing modifying the lifetime parameters in IKE and IPSec configurations, but the problems persist.

Any suggestion ?

The ASA configuration file is attached.

1 Accepted Solution

Accepted Solutions

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

View solution in original post

5 Replies 5

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

m.kafka
Level 4
Level 4

Hi guigonza,

finding out the reason for a "periodic disconnect" would require debug.

Depending which side disconnects the debugs should be run either on the ASA or the CP.

Which SAs are disconnected, IKE or IPsec? What is the typical/shortest/longest time of survival?

Debug crypto isakmp [detail-level]  or debug crypto ipsec [detail-level] helps you to find the reason. The config alone cannot really explain everything.

Rgds, MiKa

Thanks for your suggestions.

We checked the CP and ASA configurations, at least the lifetimes parameters.

We reconfigured the same lifetimes parameters on both units and we are testing the behaviour.

The next step is to get the debug in both units on controlled test to see the possible causes.

As soon as I get some results in this test I'll post it.

Thanks a lot.

Crypto debugs from both sides while replicating the problem will be required to isolate further.  I did run into a strange interop issue with Checkpoint once before where the tunnel would fail during a P1 rekey.  The Checkpoint device was incorrectly deleting the P2 SAs during this rekey process resulting in tunnel failure.  Clearing the tunnel from the ASA would restore connectivity.  Checkpoint wound up adding the following to their firewall to resolve.

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

cpstop

cpstart

Well, after some test and checking the parameters suggested we found the problem.  Both firewalls had differents lifetimes values in IKE phase 1 and 2.  We modified this values and averything is working fine.

Thanks for help ....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: