I have a vpn setup between a Cisco ASA 5505 and a CP NGX R65. The CP firewall is the remote side. The primary problem is that when a phase 1 rekey occurs it will often fail. Sometimes after a few hours it will come up on its own. At other times I clear the phase 1 and 2 sa's and the tunnel comes up. We have verified the phase 1 and 2 parameters and both sides match exactly. We have removed the crypto map and reapplied it as well. I've attached the sanitized running config. I would appreciate any help. Thanks for your time.
Could you remove the lifetime parameters of the config.
This config not work for me and I remove the lifetime and the vpn work better.
If i understand you correctly, you want me to remove the phase 1 lifetime? If so i cannot do that on our production firewall.
Do you have 'support for aggressive mode' or 'support key exchange for subnets' enabled in the IKE properties on the Check Point?
What about PFS? Is that enabled on the Check Point side?
I would also try enabling an isakmp debug on the ASA (debug crypto isakmp) and see if you're receiving a specific error during phase 1 negotiations. You can disable the debug by issuing 'undebug all'
Hope this helps.
I will check the CP settings but i know PFS is not enabled on the CP side.
Here is part of a debug crypto isakmp output from yesterday.
Jan 28 13:21:35 [IKEv1 DEBUG]: Group = x.y.z.4, IP = x.y.z.4, IKE MM Responder FSM error history (struct &0xd54801f0)
I understood from this that the CP firewall should be responding to this and it does not appear to be.
I think the previous responder might be on to something. You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours).
These commands from the config set the global IPSec timeout value and are unnecessary because they are set to the same value as default:
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Then you have these commands in the crypto-map overriding the default ipsec timeout of 28800 in favor of 86400 (same timeout specified in the ISAKMP policy):
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
I would try removing the custom IPSec timeout (phase 2) and let it use the default value of 28800 (8 hours). This way, phase 1 and phase 2 won't be attempting to re-negotiate at the same time.
Are both the IKE and IPSec SA timeouts on the Check Point side the same as the ASA?
"You might be running into an issue because your phase 1 and phase 2 lifetimes on the ASA are set to the same value (86400 seconds~24 hours)."
This has nothing to do with this.
I would do the following:
a- what is the HFA of the CP firewall? please
show the output of "fw ver".
b- Check the timeout setting on both Cisco
and Checkpoint and make sure they are correct.
CP, by design, default phase I to 1440
minutes and 3600 seconds for phase I and II,
c- vpn debug ikeoff
d- vpn debug iketrunc
e- vpn debug ikeon
f- Under the Checkpoint configuration of the
VPN community (I assumed you use Simplfied
mode), select negiotation per host, NOT
g- push the policy,
Now test the VPN. You can view the debug on
the CP side with IKEView.exe file. It will
tell exactly exactly what goes wrong
Thanks everyone for your responses. We do not control the remote CP firewall so it may take me some time to gather this information.
I have a Checkpoint Secureplatform NGx R65 with
HFA_30. If you want to test your VPN with me,
let me know. Send me your email and we can