Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between ASA and Checkpoint

I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).

I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.

The other company is saying:

"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"

However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.

Is there a hidden default setting I have to turn off? If so, how do I do this?

3 REPLIES
Bronze

VPN between ASA and Checkpoint

Phase 2 failures means several things:

Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,

Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.

Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:

- output of "uname -a" and "fw ver"

- is this Nokia, Windows or Secureplatform Checkpoint?

- run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 

Disable/turn OFF kilobytes timeouts is not the solution. 

New Member

VPN between ASA and Checkpoint

We used IKEView.exe on the Checkpoint side and discovered what the issue is.

When the Checkpoint tries to establish the tunnel, it does not supply a SA KB timeout value. The ASA 5505 running IOS 8.4 is demanding it. I tried to turn this off with the

no ipsec security-association lifetime kilo 4608000

command, but the ASA is still sending the KB timeout (along with the seconds timeout) and demanding it from the other end. Therefore, we cannot complete Phase2.

How can I turn this off or make it optional?

Bronze

VPN between ASA and Checkpoint

I have an existing VPN tunnel between Pix 8.0.4 and Checkpoint SPLAT NGx R71.30 running without any issues.  I would have tested the code 8.4 for you but unfortunately, Pix does not support anything above 8.0.4

If this is the case, then this must be a "new" feature required in 8.4. 

You have a few options here:

#1:  ask for a fix from Cisco,

#2:  downgrade the code from 8.4 to 8.0.4,

#3:  change the checkpoint VPN configuration from "simplified mode" to "traditional mode" method.  I've not used "traditional mode" method in years but with traditional mode method, it does give you the ability to set the timeout based on the number of bytes.

2029
Views
0
Helpful
3
Replies