Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC doenst work after a reboot

Hi

I have a pix525 running 6.2.2.

We have an IPSEC tunnel with Checkpoint FW 4.1. This was working fine

Due to some reason we have to reboot the PIX. now the the tunnel is broken.

This is the error i get at the checkpoint side .

Errors seen:

Error IKE: Quick Mode Received Notification from Peer: no proposal chosen.

and encryption fail reason: Packet is dropped as there is no valid SA.

and i tried clearing the sa using

clear crypto ipsec sa

clear crypto isa sa

On the PIX.

but no use what could be the problem??

1 REPLY
Cisco Employee

Re: IPSEC doenst work after a reboot

Hi Batchu,

When you reboot one side in an Interoperability scenario, you should clear the IKE & IPSec SA's on both the sides, including on the Checkpoint side.

Once thats done and this still occurs, then make sure you only have one proposal chosen for this tunnel on both the sides.

The best chance you have to get things working with checkpoint

- use v4.1 sp 1

- use ONLY one transform

- use only one ISAKMP policy

- make sure rekey values are 100% equal

When testing, don't declare success until you have tested re-keying. Also make sure you are successful bringing the tunnel up from both sides.

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

227
Views
0
Helpful
1
Replies
CreatePlease to create content