Improve company productivity with a Business Account.Sign Up

x
?
Solved

CheckPoint R75 and ASA 8.4(4) VPN tunnel drops

Posted on 2014-03-07
1
Medium Priority
?
5,931 Views
Last Modified: 2014-03-13
Having issues with a IPsec VPN tunnel between a CheckPoint R75.40 and ASA8.4(4) firewall.

we have numerous other tunnels and have no issue.

Symptoms are intermittent connection drops after 2 -3 hours. Found also that persistent PINGs between the two points keeps the connection active.

Both sides are using identical configurations have tried explicit IP's and subnets however issue persists.

Any help appreciated
0
Comment
Question by:JamesWinn
1 Comment
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 39915338
there are some hints mentioned below, and see if you have hose symptoms in the debug and error log. Cisco IPSEC debugging command can include. Cisco ADSM has packet tracer that can see the packet traversed in details

- show crypto isakmp sa  - gives you brief status of Phase 1 SAs, you can append "detail" (w/o quotes) for more robust status e.g. status of the negotiation
- show crypto ipsec sa - gives you packet counts of encrypted and decrypted packets as well as errors.
- debug crypto isakmp errors - gives you brief info when isakmp throws an error
- debug crytpo isakmp - (eat up your console) gives a detailed output of the entire phase 1 negotiation processes - on a rolling basis - so if your VPN is broken, it's almost a non-stop output.

some possibilities though it may not be specific to the actual product model

VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

Below is a good summary on possible checkpoint errors seen, good to check out too. There is also means to enable the IKE and VPN debugging

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk88780

SYMPTOMS

-Intermittent VPN drops involving Check Point Security Gateway and 3rd party VPN.
-Kernel debug shows error "vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet".
-IKE debug shows that Cisco VPN sends an SPI delete after successful phase1/phase2 key negotiation.

SYMPTOMS

-Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
-VPN between Check Point Security Gateway and Cisco Pix fails.
-SmartView Tracker may display the following error messages:
Error: "Encryption failure: packet is dropped as there is no valid SA"
Error: "No valid SA"
Error: "Encryption failure: No response from peer"
Error: "No proposal chosen"
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple pa…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question