Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5520 to Checkpoint Intermitant IPSEC Connections

I have a VPN tunnel connected between an ASA5520 and Checkpoint firewall.

The issue is that Connectivity has been working ok. Then connectivity fails. The remote end targets an xlate on the ASA and Checking the ASA xlate there has been no hits although the other 3 connections using the same src/dst subnet are still working. The ipsec acl is setup for the whole subnet at both ends, and the logs provided from the Checkpoint shows attempts to connect. Has anybody suffered a similiar issue?

8 REPLIES
Silver

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

more information is needed:

1- timeout for phase I & II settings identical on both Checkpoint and ASA? What is the timeout settings of Phase I & II on the ASA?

2- Simplfied or Traditional mode VPN on checkpoint?

3- What is the version of Checkpoint? NG, NG with AI R55 or NGx? "uname -a" and "fw ver" will tell you the version

4- Are you running the most recent version of Checkpoint HFA? Does not have to be the lastest but should be recently. For example, the latest release for NGx R65 is HFA_40 so you should be running HFA_30

5- If you're using Simplified mode VPN, do you exchange key per subnets, per hosts, etc...? Which one did you choose? This could result in what you're seeing.

6- run debug 'vpn debug ikeon" on the checkpoint side. Then grab the $FWDIR/log/ike.elg file. Use IKEView.exe to view the debug, it will tell you exactly where you go wrong.

Community Member

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

Sorry i probably did not explain this very well. The VPN tunnel remains established no problems with other connectivity working http mq and ftp.

We then have another FTP connection, which is working with no problems, then it is reported as failed.

The VPN tunnel is still established and the other connections through the tunnel still work. But this FTP connection is not working.

The remote end advises that from there checkpoint logs they can see traffic hitting there rules and going into the tunnel, but we do not see traffic coming into our ASA, as i cannot see a hit on our xlate address that they target.

Then all of a sudden it will start working with no changes being done at either end.

The access-lists applied to the tunnel are for the whole subnet and this is the same at both ends.

Bronze

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

Hi,

You mentioned that the ipsec ACL is for the whole subnet at both ends. However has the VPN actually negotiated SA's based on the network or based on hosts?

You can check this in the Checkpoint log or using "sh crypto ipsec sa".

If they really have negotiated SA's for the whole network then it doesn't sound like a VPN issue. If it's host based SA's then it is a VPN issue (first thing to check is the timers).

Regards

Silver

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

Checkpoint log may not show the issue. I will re-iterate what I said earlier:

- checkpoint your phase I & II timeout settings on both sides,

- make sure your encryption domain matches on both sides. Checkpoint, by default, will super-net the network,

- run tcpdump on the inside interface of the checkpoint firewall, that way, you will see the traffics in clear text after it gets decrypted by the CP firewall,

- run "vpn debug ikeon" and decode the IPSec negotiation phase. Use IKEView to read it,

- You really don't know until you can view the ike.elg output.

Last but not least, it may be an interoperability issue.

Bronze

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

If SA's have been negotiated (which they have to send some traffic) then the Checkpoint log will show the details of the SA.

Bronze

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

It sounds to me as if the most likely reason is that the SA's are actually host based and the Cisco end is deleting the SA before the Checkpoint end (you should see some invalid SPI errors on the Cisco end)

This is probably due to the Phase 2 timers not matching, or more likely the Cisco is expiring the SA based on MB of traffic (FTP connection right?) whereas the Checkpoint isn't

The result is Checkpoint carries on sending encrypted data and Cisco drops it. After the Checkpoint rotates it's phase 1 key it all starts working again.

Regards

Community Member

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

James,

When you say expiring the SA based on MB of traffic, I take it by MB you mean megabyte's if so do you mean the ASA has a limitation set on the amount of data it will pass per SA, if yes how to you view/change this?

Community Member

Re: ASA5520 to Checkpoint Intermitant IPSEC Connections

James,

Ignore my last question i now realise you mean if we are rekey on time or amount of data.

943
Views
0
Helpful
8
Replies
CreatePlease to create content