Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN L2L ASA-CheckPoint disconnection

Hi ...

Please your help ...

I've configured a VPN L2L between an ASA5505 and CP2070.

The tunnel is working, we have conectivity between sites, but the tunnel is disconnecting periodically.

When the tunnel fails, we need to make a "clear crypto isakmp sa <tunnel address>" to recover the connection.

I've been testing modifying the lifetime parameters in IKE and IPSec configurations, but the problems persist.

Any suggestion ?

The ASA configuration file is attached.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN L2L ASA-CheckPoint disconnection

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

5 REPLIES

Re: VPN L2L ASA-CheckPoint disconnection

Hi,

If you resolve the issue by clearing the tunnel on the ASA side, I might think that there's a loss of connectivity on the Checkpoint side when this happens?

I mean... the ASA still belives the tunnel is up, but it isn't because is not up on the checkpoint side.

As soon as you cleared the SAs on the ASA, the tunnel renegotiates and reestablishes.

There are keepalives and DPD packets that can be sent to monitor the health of the VPN peer, but they work great between Cisco devices. (i'm not sure if there are incompatibility issues with other brands).

Can you check if that's the problem?

Also, are the ISAKMP phase 1 and phase 2 lifetimes set to the same value on both units?

Federico.

Bronze

Re: VPN L2L ASA-CheckPoint disconnection

Hi guigonza,

finding out the reason for a "periodic disconnect" would require debug.

Depending which side disconnects the debugs should be run either on the ASA or the CP.

Which SAs are disconnected, IKE or IPsec? What is the typical/shortest/longest time of survival?

Debug crypto isakmp [detail-level]  or debug crypto ipsec [detail-level] helps you to find the reason. The config alone cannot really explain everything.

Rgds, MiKa

New Member

Re: VPN L2L ASA-CheckPoint disconnection

Thanks for your suggestions.

We checked the CP and ASA configurations, at least the lifetimes parameters.

We reconfigured the same lifetimes parameters on both units and we are testing the behaviour.

The next step is to get the debug in both units on controlled test to see the possible causes.

As soon as I get some results in this test I'll post it.

Thanks a lot.

Re: VPN L2L ASA-CheckPoint disconnection

Crypto debugs from both sides while replicating the problem will be required to isolate further.  I did run into a strange interop issue with Checkpoint once before where the tunnel would fail during a P1 rekey.  The Checkpoint device was incorrectly deleting the P2 SAs during this rekey process resulting in tunnel failure.  Clearing the tunnel from the ASA would restore connectivity.  Checkpoint wound up adding the following to their firewall to resolve.

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

cpstop

cpstart
New Member

Re: VPN L2L ASA-CheckPoint disconnection

Well, after some test and checking the parameters suggested we found the problem.  Both firewalls had differents lifetimes values in IKE phase 1 and 2.  We modified this values and averything is working fine.

Thanks for help ....

1247
Views
0
Helpful
5
Replies