Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5837
Views
0
Helpful
1
Replies

VPN STS with checkpoint strange behavior

Fabrizio Pelliccione
Level 1
Level 1

‎12-06-2013 02:51 AM

On my side I have ASA 5520 and on the other site there is a Checkpoint Appliance 4500.

We configure a site to site vpn with IKE V1 Sa Lifetime 28000 seconds and IPSEC Sa Lifetime of 3600 seconds.

The Tunnel works but, after 55 minutes there is a renew of the Key and the vpn goes down for 30 seconds.

The clients on the Checkpoint lost rdp connection with server behind ASA and the ping monitoring from my server to checkpoint clients stops witch "request timedout".

In the log I See:

ASA side:

6|Dec 04   2013|10:34:17|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD9673E9D) between CHECKPOINT and ASA (user= CHECKPOINT) has been deleted.

6|Dec 04   2013|10:34:17|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x5F701F32)   between ASA and CHECKPOINT (user= CHECKPOINT) has been deleted.

Checkpoint side:

  Dec 04 2013|10:25:37|IKE: Informational Exchange Received Delete IPSEC-SA from Peer: ASA; SPIs: eccb335c

  Dec 04 2013|10:32:15|IKE: Quick Mode Sent Notification: Responder Lifetime

What can I do to troubleshoot this?

Labels:
0 Helpful
1 Reply 1

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

‎12-11-2013 12:10 PM

Hi Fabrizio,

We have seen issues with Checkpoint and ASAs around rekeys in the past. It seems like delete messages in one way or the other are treated differently.

There is a checkpoint document which might help.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42315

The fix is to run:

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

Run cpstop

Run cpstart

Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the

output.

That may be something for you to check into.

Also on the ASA side, one thing that we can do is make sure that even if the tunnel

bounces the data flow stays up (by default it will tear down). To do that you can

configure the following system option:

conf t

sysopt connection preserve-vpn-flows

In order for it to take effect you have to tear down the tunnel:

clear crypto ipsec peer x.x.x.x

Some other cases have been  resolved by enabling the "ignore the delete SPI for Phase1 packet" setting on the Checkpoint.

Also check the following document

https://supportforums.cisco.com/thread/257154?tstart=0

I hope it helps,

regards,

Itzcoatl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents