topic Checkpoint to Cisco VPN in General Topics

Checkpoint to Cisco VPN

Raj_Khatri — Wed, 27 Jun 2018 18:11:17 GMT

We have a Star VPN with 3rd Party Cisco ASA firewall (interoperable device). The VPN is up and stable and able to pass traffic between encryption domains. We are experiencing an intermittent issue when traffic is initiated from the Cisco side to a resource on our Checkpoint side, when it needs to traverse our Mesh VPN network.

When the Source connects to resource that goes over 2 VPN connections, it fails on the first and sometimes second attempt but successfully connects the third attempt. It never connects the first time. There are no drops on FW-A or FW-B.

Working:

Source -> Cisco ASA -> Star VPN -> Checkpoint FW-A -> Resource

Not Working:

Source -> Cisco ASA -> Star VPN -> Checkpoint FW-A -> Mesh VPN -> Checkpoint FW-B -> Resource

Has anyone run into this?

Re: Checkpoint to Cisco VPN

Maarten_Sjouw — Wed, 27 Jun 2018 20:51:59 GMT

Try to setup Dead Peer Detection on the ASA, follow the SK to set the CP to work with DPD and set permanent tunnels on and set your tunnels to pair on per subnet not per host pair.

Do you happen to use an exclusion group for the center gateway's VPN Topology? If so you could run into an issue that the CP will use per host tunneling.

Re: Checkpoint to Cisco VPN

Raj_Khatri — Thu, 28 Jun 2018 11:31:18 GMT

The VPN tunnel is already configured for per subnet pair and we are using a Group with Exclusions for the center gateway VPN topology. It appears this is the SK describing this - sk39679