Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Checkpoint VPN to Cisco ASA

Hi all,

We have some working tunnels between a Checkpoint box and a Cisco ASA. However despite this we are still seeing lots of errors for:

Rejecting Ipsec Tunnel: no matching crypto map

QM FSM error

Removing peer from correlator table failed, no match!

These all show a source address of the Checkpoint peer. This is despite phase 1 and phase 2 being established already and communication occuring properly.

Is there something that the Checkpoint unit does (tunnel check traffic for example) that is causing these errors?

  • VPN
New Member

Re: Checkpoint VPN to Cisco ASA

This sample configration demonstrates how to form an IPSec tunnel with pre-shared keys to join two private networks. In our example, the joined networks are the 192.168.1.X private network inside the Cisco Secure Pix Firewall (PIX) and the 10.32.50.X private network inside the Checkpoint. It is assumed that traffic from inside the PIX and inside the Checkpoint 4.1 Firewall to the Internet (represented here by the 172.18.124.X networks) flows prior to beginning this configuration.

New Member

Re: Checkpoint VPN to Cisco ASA

Thank you. The tunnels were coming up however the checkpoint box kept trying to build another ipsec session inside the tunnel. This is because the Checkpoint box was configured to send tunnel test packets. Adding in an ACL for interesting traffic to permit the Checkpoint peer to Cisco peer allows this ipsec session to be created and the messages have stopped.

Presumably the Checkpoint box could be configured to not send these packets as well.

New Member

Re: Checkpoint VPN to Cisco ASA

Could you provide some more detail on this fix, I am having the same problem between a Checkpoint and our new ASA. Tunnel works but I get errors and users do experience some session issues to a server.

Re: Checkpoint VPN to Cisco ASA

As this post is almost 4 years old, this is just a shot in the dark.

The interesting ACL for your solution was what? ESP, IP