Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Lan-to-lan tunnel VPN 3020 problems

I have a lan-to-lan tunnel between two sites working well but i have an intermitent problem when we connect more than one person from one site (VPN3020) to the same server in the other site (Checkpoint). The tunnel remains ok but there is no application traffic (in an intermitent way). I saw in the VPN logs that there is a continuous renegotiation of the phase 2 just when the problem appears (in the file attached). This log is repeted the same every second. The tunnel is ok in both sides and there is no problem when is used by only one person.

New Member

Re: Lan-to-lan tunnel VPN 3020 problems

Check with your internet provider that is there any CAR applied for your internet connection which pertains to bandwidth.

Cisco Employee

Re: Lan-to-lan tunnel VPN 3020 problems

Most probably the network list on concentrator does not match fully with the encryption domain configured on Checkpoint.

If checkpoint is configured on host basis, and your network list is subnet based, you will run into these issues.

*Please rate if helped.


New Member

Re: Lan-to-lan tunnel VPN 3020 problems

Is this thread still active or did you find a solution? I have just had this problem myself and now have a working VPN.

New Member

Re: Lan-to-lan tunnel VPN 3020 problems

I didn't find a solution. I have a Check Point firewall and I had to change my Lan to Lan tunnel fron de Cisco VPN to the firewall, where the tunnel works correctly. If you found a solution, please tell me. Thanks.

New Member

Re: Lan-to-lan tunnel VPN 3020 problems

The VPN was failing to initialise in phase two.

The checkpoint was configured to not autosummarise networks. Both ends had EXACTLY the same networks defined - this is where the problem lay. We had a supernet at each end of the VPN. eg:


(End A) - /

CPnt (security domain)

(End B) - /

So according to instructions, configure the EXACT same networks at each end:

In Cisco VPN

local network / (W/card mask)

remote network /

now when the IKE negotiation takes place, the Checkpoint end fails it, because it breaks down the supernetted networks into individual class C's

I configured the Cisco VPN to use networks:

local networks / /

remote networks / /

Once I'd done that both ends could initiate the VPN and came up stable.

Hope this helps, let me know how you get on.