i have been going thru the discussions threads of asa-checkpoint s2s vpn issues in cisco and still unable to find the curlprit for the problem...
initially i though supernet is creating the problem in cp, hence we removed one of the subnet 10.1.2.0 from both the devices acl...later on re-confirmed p1, p2 keylifetime values on both the devices.. later on we deleted the vpn in asa and freshly created it... it is hopeless to say that, issue still persists..
I do find a log in CP as, peer not responding which is cisco.... i have checked the vpn profile in CP for this tunnel and it is just the next-next button..Dont find much info over there.. Attached the logs WHEN THE TUNNEL IS UP, THE SAME IS THERE WHEN THE TUNNEL IS DOWN.
One more point which i have understood from the logs is that, the log " Failure during phase 1 rekeying attempt due to collision", indicates that
the ASA only supports two Phase-1 SAs at a time. If both the sides start a rekey at the same time then 3 SA will be present: (original plus two rekeys). As you can see this, when this occurs, the two direction collide and the rekey fails. And hence we get 3 different MM_roles in the "show crypto isakmp sa detail" out put of the Asa.
#sh cry isakmp sa
1 IKE Peer: 220.127.116.11 Type : L2L Role : responder Rekey : yes State : MM_ACTIVE_REKEY 2 IKE Peer: 18.104.22.168 Type : L2L Role : responder Rekey : no State : MM_REKEY_DONE_H2 3 IKE Peer: 22.214.171.124 Type : L2L Role : responder Rekey : no State : MM_WAIT_MSG5
I dont know, why this is happening and how could we stop this?? Should we still reduce the p1 lifetime or should we change this to 0 ??
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...