Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CheckPoint R75 and ASA 8.4(4) VPN tunnel drops

Posted on 2014-03-07
1
Medium Priority
?
5,800 Views
Last Modified: 2014-03-13
Having issues with a IPsec VPN tunnel between a CheckPoint R75.40 and ASA8.4(4) firewall.

we have numerous other tunnels and have no issue.

Symptoms are intermittent connection drops after 2 -3 hours. Found also that persistent PINGs between the two points keeps the connection active.

Both sides are using identical configurations have tried explicit IP's and subnets however issue persists.

Any help appreciated
0
Comment
Question by:JamesWinn
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39915338
there are some hints mentioned below, and see if you have hose symptoms in the debug and error log. Cisco IPSEC debugging command can include. Cisco ADSM has packet tracer that can see the packet traversed in details

- show crypto isakmp sa  - gives you brief status of Phase 1 SAs, you can append "detail" (w/o quotes) for more robust status e.g. status of the negotiation
- show crypto ipsec sa - gives you packet counts of encrypted and decrypted packets as well as errors.
- debug crypto isakmp errors - gives you brief info when isakmp throws an error
- debug crytpo isakmp - (eat up your console) gives a detailed output of the entire phase 1 negotiation processes - on a rolling basis - so if your VPN is broken, it's almost a non-stop output.

some possibilities though it may not be specific to the actual product model

VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

Below is a good summary on possible checkpoint errors seen, good to check out too. There is also means to enable the IKE and VPN debugging

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88780

SYMPTOMS

-Intermittent VPN drops involving Check Point Security Gateway and 3rd party VPN.
-Kernel debug shows error "vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet".
-IKE debug shows that Cisco VPN sends an SPI delete after successful phase1/phase2 key negotiation.

SYMPTOMS

-Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
-VPN between Check Point Security Gateway and Cisco Pix fails.
-SmartView Tracker may display the following error messages:
Error: "Encryption failure: packet is dropped as there is no valid SA"
Error: "No valid SA"
Error: "Encryption failure: No response from peer"
Error: "No proposal chosen"
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question