Cisco 837 <-> Checkpoint IPSEC VPN (drops every hour)
This question is regarding a Cisco 837 to Checkpoint IPSEC (site-to-site) VPN link. For over a year this configuration has been working perfectly. Our vendor is in the process of upgrading their network and will be ending their use of the Checkpoint that was currently terminating our VPN. They requested we modify the destination PEER address on our side so that we would be terminating into a new Checkpoint.
The only change we had to make in the Cisco 837 was the Destination Peer Address. The VPN came up perfectly.
Upon monitoring the VPN over the past few days since this change, we see the VPN drops every hour, for about 3 minutes. It looks like the two devices are having a problem re-negotiating the SA's prior to the current SA's lifetime expiry (3600 seconds).
We have attempted to verify as many of our settings match on both ends, but we cannot figure out why this is happening.
Attached is a screenshot they provided me of the Checkpoint config, the Cisco 837 (sh ver, sh run) and the output from the Cisco 837 (debug cypto ipsec, debug crypto pki, debug crypto isakmp).
They are pointing the finger at our end stating they have numerous clients on their new Checkpoint and we are the only ones experiencing this issue. I can't believe it is our issue, since the only change we made was the Destination Peer Address. If you have any thoughts or ideas, they would be appreciated.
Re: Cisco 837 <-> Checkpoint IPSEC VPN (drops every hour)
Indeed, I verified my Phase 1 and Phase 2 matched their screenshot for their configs. I guess the default values don't show up in the running config, but I typed them in again, just to make sure they matched.
They did give me more information with regards to their other clients. Most people are connecting with PIX 501's, ASA5505's, Sonicwalls. I am the only one connecting with a router.
I can not find in the C837 where Agressive Mode can be toggled, and that last debug had the message:
"peer does not do paranoid keepalives"
has me thinking the C837 is attempting Agressive mode. So tonight, they are going to turn Agressive Mode back on in their Checkpoint config, to see if that resolves it.
If not, I guess our only other option is to add in a PIX or ASA device. It is just frustrating to spend money on something that used to work before they had us change PEERS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...