VPN STS with checkpoint strange behavior

Unanswered Question
Dec 6th, 2013
User Badges:

On my side I have ASA 5520 and on the other site there is a Checkpoint Appliance 4500.


We configure a site to site vpn with IKE V1 Sa Lifetime 28000 seconds and IPSEC Sa Lifetime of 3600 seconds.


The Tunnel works but, after 55 minutes there is a renew of the Key and the vpn goes down for 30 seconds.


The clients on the Checkpoint lost rdp connection with server behind ASA and the ping monitoring from my server to checkpoint clients stops witch "request timedout".



In the log I See:


ASA side:

6|Dec 04   2013|10:34:17|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD9673E9D) between CHECKPOINT and ASA (user= CHECKPOINT) has been deleted.

6|Dec 04   2013|10:34:17|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x5F701F32)   between ASA and CHECKPOINT (user= CHECKPOINT) has been deleted.


Checkpoint side:

  Dec 04 2013|10:25:37|IKE: Informational Exchange Received Delete IPSEC-SA from Peer: ASA; SPIs: eccb335c

  Dec 04 2013|10:32:15|IKE: Quick Mode Sent Notification: Responder Lifetime




What can I do to troubleshoot this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Itzcoatl Espinosa Wed, 12/11/2013 - 12:10
User Badges:
  • Cisco Employee,
  • Events Top Contributors,

    2013

Hi Fabrizio,


We have seen issues with Checkpoint and ASAs around rekeys in the past. It seems like delete messages in one way or the other are treated differently.


There is a checkpoint document which might help.


https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42315


The fix is to run:


ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

Run cpstop

Run cpstart

Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the

output.


That may be something for you to check into.


Also on the ASA side, one thing that we can do is make sure that even if the tunnel

bounces the data flow stays up (by default it will tear down). To do that you can

configure the following system option:


conf t

sysopt connection preserve-vpn-flows


In order for it to take effect you have to tear down the tunnel:


clear crypto ipsec peer x.x.x.x



Some other cases have been  resolved by enabling the "ignore the delete SPI for Phase1 packet" setting on the Checkpoint.


Also check the following document

https://supportforums.cisco.com/thread/257154?tstart=0



I hope it helps,


regards,


Itzcoatl

Actions

This Discussion