Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA Checkpoint firewall Site to Site Tunnel

Posted on 2016-09-09
10
35 Views
Last Modified: 2016-10-05
Hello EE
Have anyone of you folks ever had any issues with traffic not passing through randomly between a cisco asa 5510 8.2(5) and a checkpoint FW?
I dont have access to the checkpoint firewall nor do i know much about the appliance.

Just to clarify the tunnel from the cisco side shows everything is peachy but once a month or so traffic will stop flowing for about 30 mins. then it magically fixes it self. During the outage running "show crypto isakmp sa" and show crypto ipsec sa" shows everything is fine.
i have another tunnel to another cisco asa and it's totally fine.

I am stumped on this but ran across this post on the cisco forums that is very identical to my issue.

https://supportforums.cisco.com/discussion/11327601/cant-fix-problem-between-asa-checkpoint-vpn

any input or second opinions are welcome
Thanks
0
Comment
Question by:El Fierro
  • 6
  • 4
10 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 41791734
It's hard to tell with the info you provided. During the outage,  when you do sh cry ipsec sa, do you see encaps but no decaps or decaps but no encaps? Are there any related messages in the syslog? Is the other side up? Do you have DPD setup?
0
 
LVL 4

Author Comment

by:El Fierro
ID: 41791752
its an oddity because from both ends it seems fine from whatt the heckpoint fw guy said. hes pointing the finger at cisco of course....would super netting or the simplified /traditional cuz routing issues on the checkpoint cause this? during one of the outages a couple of servers were accessible via rdp and icmp from the asa to checkpoint...just trying to get some feedback.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41791777
during one of the outages a couple of servers were accessible via rdp and icmp from the asa to checkpoint...just trying to get some feedback.

Check encaps and decaps. If you see encaps but no decaps, something happened to the traffic on the other side. It doesn't necessary have to be a vpn issue. It could be routing, server down and etc.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 4

Author Comment

by:El Fierro
ID: 41791880
when i ran the "sh crypto ipsec sa peer x.x.x.x" i did see encaps, the only decaps i saw was for the 2 servers that were up but within 15 mins they were unavailable.the checkpoint guy said it looks like the traffice isnt getting encrypted on your end. he pointed at my asa but i was able to get to my other tunnel perfectly fine....sporadically happens so i will have to wait and see when it happens again.
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 500 total points
ID: 41791890
If you see encaps, it means your traffic is being encrypted and sent through the tunnel.
0
 
LVL 4

Author Comment

by:El Fierro
ID: 41791898
right, here is a kicker ...during that period when everything on that end is unreachable i can't get any icmp replies and the trace route dies. i can ping and access resources my other tunnels resources,internet is up and running fine. btw the other tunnels end is a asa. that's why i am wondering what kind of tweaking must be done on each end.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41794235
during one of the outages a couple of servers were accessible via rdp and icmp from the asa to checkpoint

during that period when everything on that end is unreachable i can't get any icmp replies and the trace route dies

So is it completely unreachable or only some IP's?

Ask Checkpoint admin to provide you with relevant logs and ask him to also do a packet capture.
0
 
LVL 4

Author Comment

by:El Fierro
ID: 41794308
we gradually noticed when those outages have happened not everything goes out at once, one server/resource at at time to the point that all ips/servers in this tunnel are unreachable for a small time window. i don't do anything but wait and it fixes it self...they said that they saw a several phase 2 ike errors.don't know how old, but they cleared them...during one of their log checks for traffic activity they didnt see any rdp in their logs yet our dba guy was rdp'd onto the server,he even disconnected and reconnected fine.....they told me to call cisco which i think is a cop out imo.they say everything is fine on our end from they see. i've never encountered something like this and i've set up cisco to sonicwall a few times aside from cisco to cisco which has been over a dozen times. ...there has to be some kind of policy or route summarization that may be causing this.
0
 
LVL 4

Accepted Solution

by:
El Fierro earned 0 total points
ID: 41824284
we reset both sides of the tunnel to make sure both sides matched phase 1 and 2 security
0
 
LVL 4

Author Closing Comment

by:El Fierro
ID: 41829517
because we had to reset both sides of the vpn tunnel configs
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question