Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

IPSEC VPN Tunnel going down during data transfer

Jump to solution

Hi,

we have IPSEC tunnel between ASA deployed on data center & Checkpoint deployed on Azure.

The tunnel is working fine for the last 8 month for all the servers.   we recently added a application server behind ASA firewall and a SQL server behind Checkpoint firewall as part of encryption domain.  

When application server is fetching the data from SQL server the tunnel goes down after processing 1 lac  to 2lac records.

NO PFS is configured. the tunnel sharing setting are set to One VPN tunnel per subnet pair

CPU and RAM utilization are ok. 

 

So what could be the issue.

 

Thanks

Ankit Sharma

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Participant

Hi Phoneboy,

the  issue got resolved 

TAC analyzed the VPN debugs and found that, Check Point is receiving Phase-II 
lifetime in KiloBytes from the peer end ASA fw.
By default Check Point doesn't support or accept the lifetime in KiloBytes:
<== Remote peer(X.X.X.X)
SA Life Type:        Seconds
SA Life Duration:    28800
SA Life Type:        KiloBytes
SA Life Duration:    4608000
Encapsulation Mode:    
Authentication Alg:    HMAC-SHA1
Key Length:        256
==> Sent to peer X.X.X.X
Notify Type:    24576 (RESPONDER-LIFETIME)
SPI:
68 88 bd 2a
Notify Data:
80 01 00 02 00 02 00 04 00 00 00 00
SA Life Type:        KiloBytes
SA Life Duration:    0
Here Check Point is replying with lifetime as 0, it means we do not support or accept it.
You will be able to see several kinds of the issue where the re-keying process will fail due to renegotiation and when Phase-II is initiated by peer end.
As a workaround, you can disable the lifetime in KiloBytes from the peer end. I believe the peer end is Cisco ASA so you can use the following command to verify.
:"sh run all | i crypto-map".
If you can see the set lifetime, kindly change it to Unlimited using the commands:
crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

For more information please refer the following documents:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

An alternative solution, you can enable the lifetime in kilobytes in Check Point device as well by following the sk108600 scenario 6. (By default it is off) 

View solution in original post

0 Kudos
Reply
3 Replies
Admin
Admin

When you say the the VPN "goes down" what is the precise behavior observed?
What errors/logs do you see?
What version/JHF?

0 Kudos
Reply
Participant

Hi Phoneboy,

the  issue got resolved 

TAC analyzed the VPN debugs and found that, Check Point is receiving Phase-II 
lifetime in KiloBytes from the peer end ASA fw.
By default Check Point doesn't support or accept the lifetime in KiloBytes:
<== Remote peer(X.X.X.X)
SA Life Type:        Seconds
SA Life Duration:    28800
SA Life Type:        KiloBytes
SA Life Duration:    4608000
Encapsulation Mode:    
Authentication Alg:    HMAC-SHA1
Key Length:        256
==> Sent to peer X.X.X.X
Notify Type:    24576 (RESPONDER-LIFETIME)
SPI:
68 88 bd 2a
Notify Data:
80 01 00 02 00 02 00 04 00 00 00 00
SA Life Type:        KiloBytes
SA Life Duration:    0
Here Check Point is replying with lifetime as 0, it means we do not support or accept it.
You will be able to see several kinds of the issue where the re-keying process will fail due to renegotiation and when Phase-II is initiated by peer end.
As a workaround, you can disable the lifetime in KiloBytes from the peer end. I believe the peer end is Cisco ASA so you can use the following command to verify.
:"sh run all | i crypto-map".
If you can see the set lifetime, kindly change it to Unlimited using the commands:
crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

For more information please refer the following documents:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

An alternative solution, you can enable the lifetime in kilobytes in Check Point device as well by following the sk108600 scenario 6. (By default it is off) 

View solution in original post

0 Kudos
Reply
Participant

Issue got resolved post making the required change on ASA firewall. i.e we set the data limit ASA from xxxxxxKB  to unlimited in crypto map settings using below command.

 

crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

 

 

 

“3rd party VPN peer proposes Phase 2 lifetime in kilobytes

Symptoms:

A Phase 2 lifetime in kilobytes is configured on the 3rd party VPN peer. Therefore, it offers it in addition to the lifetime in seconds.

 

This means the peer wants to renegotiate the tunnel at the end of the lifetime in seconds, or after the number of specified kilobytes has been encrypted - whichever happens first.

 

On the Check Point Security Gateway, Phase 2 lifetime is configured only in seconds. Therefore, even though it accepts the proposal for Phase 2 lifetime from 3rd party VPN peer in kilobytes, it also sends back a "RESPONDER-LIFETIME" notification to notify that it is only going to enforce the Phase 2 lifetime in seconds.

With some 3rd party VPN vendors, it is necessary to match the exact initiator's proposal, including the lifetime in kilobytes. Otherwise, they will drop the tunnel and initiate a new negotiation over and over again.”

0 Kudos
Reply