Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

CheckPoint R75 and ASA 8.4(4) VPN tunnel drops

Posted on 2014-03-07
1
Medium Priority
?
5,710 Views
Last Modified: 2014-03-13
Having issues with a IPsec VPN tunnel between a CheckPoint R75.40 and ASA8.4(4) firewall.

we have numerous other tunnels and have no issue.

Symptoms are intermittent connection drops after 2 -3 hours. Found also that persistent PINGs between the two points keeps the connection active.

Both sides are using identical configurations have tried explicit IP's and subnets however issue persists.

Any help appreciated
0
Comment
Question by:JamesWinn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39915338
there are some hints mentioned below, and see if you have hose symptoms in the debug and error log. Cisco IPSEC debugging command can include. Cisco ADSM has packet tracer that can see the packet traversed in details

- show crypto isakmp sa  - gives you brief status of Phase 1 SAs, you can append "detail" (w/o quotes) for more robust status e.g. status of the negotiation
- show crypto ipsec sa - gives you packet counts of encrypted and decrypted packets as well as errors.
- debug crypto isakmp errors - gives you brief info when isakmp throws an error
- debug crytpo isakmp - (eat up your console) gives a detailed output of the entire phase 1 negotiation processes - on a rolling basis - so if your VPN is broken, it's almost a non-stop output.

some possibilities though it may not be specific to the actual product model

VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

Below is a good summary on possible checkpoint errors seen, good to check out too. There is also means to enable the IKE and VPN debugging

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88780

SYMPTOMS

-Intermittent VPN drops involving Check Point Security Gateway and 3rd party VPN.
-Kernel debug shows error "vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet".
-IKE debug shows that Cisco VPN sends an SPI delete after successful phase1/phase2 key negotiation.

SYMPTOMS

-Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
-VPN between Check Point Security Gateway and Cisco Pix fails.
-SmartView Tracker may display the following error messages:
Error: "Encryption failure: packet is dropped as there is no valid SA"
Error: "No valid SA"
Error: "Encryption failure: No response from peer"
Error: "No proposal chosen"
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question