Cisco ASA to Checkpoing L2L VPN issues

I am trying to form a VPN tunnel between a Cisco ASA 5540 and a third party managed Checkpoint firewall.  Since I cannot see the config on the Checkpoint, I am hoping that someone can perhaps point me in the right direction.

Phase 1 completes between the two firewalls but Phase 2 initiates and dies.  To my knowledge it looks like an encryption domain issue, but the 3rd party assures me that they have the correct subnets configured.

When I try to initiate a tunnel I receive the following messages:

Group =, IP = , received non-routine Notify Message: Invalid ID (18)
Group =, IP =, QM FSM error (P2 struct..........)
Group =, IP =, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Group =, IP =, Removing Peer from correlator table failed, no match!

If anyone has had any experience with Cisco to Checkpoint VPN, it seems checkpoint also have an option to specify tunnel types [one vpn per host pair]  or [one vpn tunnel per subnet pair] - not sure which one the 3rd party should be using.

Many thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FYI I've run into this type of problem alot when trying to get a tunnel to a Checkpoint firewall.   The problem appears to be that Checkpoint will summarize the IP blocks it presents as the remote proxy (encryption domain), even though the checkpoint admin didn't set it that way.  I've had remote admin's tell me specifically what IP blocks they have configured in their encryption domain and it doesn't match the proposal that the Cisco sees.  

In the past I was able to fix this by initiating debug traffic on the cisco so that I could actually see the proposal the Checkpoint was sending, then configure the Cisco to match those IP networks and subnets.  This was relatively easy on 6.3, but on 7.x and higher it's a bit more of a hassle.  I believe you'd need to enable almost the full level debug to see the data needed.  For example:

debug crypto ipsec 240
(although I'm not sure that 240 will show what you need, you may want to work your way up from there to 255)

Then you just have to filter through the debug detail to get the proposal information that the Checkpoint is sending.

If there's anyway to have the Checkpoint admin find this information out, I've never run across it...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FYI while doing some troubleshooting today for a different purpose I did confirm that lvl '240' is enough for the ASA to show you the Subnet in the Ipsec proposal.  Once you find out what the checkpoint is sending you can match it and should be able to get the tunnel working.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.