Hi Fabrizio,
We have seen issues with Checkpoint and ASAs around rekeys in the past. It seems like delete messages in one way or the other are treated differently.
There is a checkpoint document which might help.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42315
The fix is to run:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1
Run cpstop
Run cpstart
Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the
output.
That may be something for you to check into.
Also on the ASA side, one thing that we can do is make sure that even if the tunnel
bounces the data flow stays up (by default it will tear down). To do that you can
configure the following system option:
conf t
sysopt connection preserve-vpn-flows
In order for it to take effect you have to tear down the tunnel:
clear crypto ipsec peer x.x.x.x
Some other cases have been resolved by enabling the "ignore the delete SPI for Phase1 packet" setting on the Checkpoint.
Also check the following document
https://supportforums.cisco.com/thread/257154?tstart=0
I hope it helps,
regards,
Itzcoatl