[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5869
  • Last Modified:

CheckPoint R75 and ASA 8.4(4) VPN tunnel drops

Having issues with a IPsec VPN tunnel between a CheckPoint R75.40 and ASA8.4(4) firewall.

we have numerous other tunnels and have no issue.

Symptoms are intermittent connection drops after 2 -3 hours. Found also that persistent PINGs between the two points keeps the connection active.

Both sides are using identical configurations have tried explicit IP's and subnets however issue persists.

Any help appreciated
0
JamesWinn
Asked:
JamesWinn
1 Solution
 
btanExec ConsultantCommented:
there are some hints mentioned below, and see if you have hose symptoms in the debug and error log. Cisco IPSEC debugging command can include. Cisco ADSM has packet tracer that can see the packet traversed in details

- show crypto isakmp sa  - gives you brief status of Phase 1 SAs, you can append "detail" (w/o quotes) for more robust status e.g. status of the negotiation
- show crypto ipsec sa - gives you packet counts of encrypted and decrypted packets as well as errors.
- debug crypto isakmp errors - gives you brief info when isakmp throws an error
- debug crytpo isakmp - (eat up your console) gives a detailed output of the entire phase 1 negotiation processes - on a rolling basis - so if your VPN is broken, it's almost a non-stop output.

some possibilities though it may not be specific to the actual product model

VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

Below is a good summary on possible checkpoint errors seen, good to check out too. There is also means to enable the IKE and VPN debugging

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88780

SYMPTOMS

-Intermittent VPN drops involving Check Point Security Gateway and 3rd party VPN.
-Kernel debug shows error "vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet".
-IKE debug shows that Cisco VPN sends an SPI delete after successful phase1/phase2 key negotiation.

SYMPTOMS

-Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
-VPN between Check Point Security Gateway and Cisco Pix fails.
-SmartView Tracker may display the following error messages:
Error: "Encryption failure: packet is dropped as there is no valid SA"
Error: "No valid SA"
Error: "Encryption failure: No response from peer"
Error: "No proposal chosen"
0

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now