You probably won't find many CheckPoint experts here either :-)
It does sound like the firewall is the problem though just from your description, in that you have to create the translation first by doing the traceroute before you can get your ISAKMP packets through. It also sounds like the translation times out in the CheckPoint after 30 minutes and then has to be rebuilt again.
I'd be checking the translation table and the logs in the CP after you try and connect your tunnel without doing a traceroute first and see what it says.
Don't know if anyoen can help any further but it looks like to me the packet gets through before performing the trace route but the connection does not initiate. Why would there be a duplicate first packet detetected? Why would performing a trace route stop this message??
Below is attempt to connection using the cisco client before I trace route to the concentrator.
The only time I've seen this 'duplicate first packet detected' error was when I did not have my default gateway configured correctly on my concentrator. Setting the default gateway to the next hop router from the public interface fixed this problem.
Also, you may have a NAT issue. Are you connecting using UDP or TCP?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...