I am trying to create an L2L connection from a 3K5 Concentrator to a vendor with a Checkpoint NGR55. At implementation this morning, we were able to access all NATed applications on their side, they weren't able to access ours. The message we saw on both sides was:
Received non-routine Notify message: Invalid ID info (18)
Which indicates mismatched attributes between the peers. These have been verified on both sides. We have our local network list specified as all of the individual hosts that are translated in the static NAT rules. For them, we have static translations and two global PATs...the network list for them specifies their entire /24 network that was used in the global PAT. My understanding is that the more specific network will be applied and if not found, the PAT will be used and I can see this happening in the event log.
Question 1.) Could this be a possible problem with why they can't connect to anything on our side?
Question 2.) The concentrator is menu driven, even from the CLI and I can't find a way to clear the SA when troubleshooting other than disabling and re-enabling the tunnel. I know on the ASA and PIX and I can do this for phase 1 and 2 from the CLI. Does disabling the tunnel on the 3K5 have the same result?
Any other ideas on why this is happening would be appreciated.
Re: 3K5 Concentrator L2L with Checkpoint NGR55 Issues
Thanks for the reply. I am assuming these changes would be made on the Checkpoint? The setup again in brief: L2L VPN tunnel from 3K5 to NGR55. We have static NAT translations for our inside to vendor's outside...for example; Source: 192.168.1.2 (our inside) translated to 18.104.22.168 (our outside) with a remote 22.214.171.124 (vendor's outside). In our local network list we have 126.96.36.199/0.0.0.0. Becuase we do have a global PAT for our inside to vendor's network, in the remote network list, we have only 188.8.131.52/0.0.0.255. The order of operations should take the more specific hosts under this subnet. We can access everything on vendor's side fine, they can't access anything on our side. The addresses listed above aren't the actual ones in use, but should demonstrate the setup. If the problem looks similar to what you have seen, your response would be appreciated. Thanks in advance.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :