Solved

CheckPoint R75 and ASA 8.4(4) VPN tunnel drops

Posted on 2014-03-07
1
5,386 Views
Last Modified: 2014-03-13
Having issues with a IPsec VPN tunnel between a CheckPoint R75.40 and ASA8.4(4) firewall.

we have numerous other tunnels and have no issue.

Symptoms are intermittent connection drops after 2 -3 hours. Found also that persistent PINGs between the two points keeps the connection active.

Both sides are using identical configurations have tried explicit IP's and subnets however issue persists.

Any help appreciated
0
Comment
Question by:JamesWinn
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39915338
there are some hints mentioned below, and see if you have hose symptoms in the debug and error log. Cisco IPSEC debugging command can include. Cisco ADSM has packet tracer that can see the packet traversed in details

- show crypto isakmp sa  - gives you brief status of Phase 1 SAs, you can append "detail" (w/o quotes) for more robust status e.g. status of the negotiation
- show crypto ipsec sa - gives you packet counts of encrypted and decrypted packets as well as errors.
- debug crypto isakmp errors - gives you brief info when isakmp throws an error
- debug crytpo isakmp - (eat up your console) gives a detailed output of the entire phase 1 negotiation processes - on a rolling basis - so if your VPN is broken, it's almost a non-stop output.

some possibilities though it may not be specific to the actual product model

VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

Below is a good summary on possible checkpoint errors seen, good to check out too. There is also means to enable the IKE and VPN debugging

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88780

SYMPTOMS

-Intermittent VPN drops involving Check Point Security Gateway and 3rd party VPN.
-Kernel debug shows error "vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet".
-IKE debug shows that Cisco VPN sends an SPI delete after successful phase1/phase2 key negotiation.

SYMPTOMS

-Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
-VPN between Check Point Security Gateway and Cisco Pix fails.
-SmartView Tracker may display the following error messages:
Error: "Encryption failure: packet is dropped as there is no valid SA"
Error: "No valid SA"
Error: "Encryption failure: No response from peer"
Error: "No proposal chosen"
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question