This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ankitsharma6623
Participant
‎2020-07-21 12:11 AM
Jump to solution

IPSEC VPN Tunnel going down during data transfer

Hi,

we have IPSEC tunnel between ASA deployed on data center & Checkpoint deployed on Azure.

The tunnel is working fine for the last 8 month for all the servers.   we recently added a application server behind ASA firewall and a SQL server behind Checkpoint firewall as part of encryption domain.  

When application server is fetching the data from SQL server the tunnel goes down after processing 1 lac  to 2lac records.

NO PFS is configured. the tunnel sharing setting are set to One VPN tunnel per subnet pair

CPU and RAM utilization are ok. 

 

So what could be the issue.

 

Thanks

Ankit Sharma

 

0 Kudos
1 Solution

Accepted Solutions
ankitsharma6623
Participant
‎2020-07-23 09:06 AM
In response to PhoneBoy
Jump to solution

Hi Phoneboy,

the  issue got resolved 

TAC analyzed the VPN debugs and found that, Check Point is receiving Phase-II 
lifetime in KiloBytes from the peer end ASA fw.
By default Check Point doesn't support or accept the lifetime in KiloBytes:
<== Remote peer(X.X.X.X)
SA Life Type:        Seconds
SA Life Duration:    28800
SA Life Type:        KiloBytes
SA Life Duration:    4608000
Encapsulation Mode:    
Authentication Alg:    HMAC-SHA1
Key Length:        256
==> Sent to peer X.X.X.X
Notify Type:    24576 (RESPONDER-LIFETIME)
SPI:
68 88 bd 2a
Notify Data:
80 01 00 02 00 02 00 04 00 00 00 00
SA Life Type:        KiloBytes
SA Life Duration:    0
Here Check Point is replying with lifetime as 0, it means we do not support or accept it.
You will be able to see several kinds of the issue where the re-keying process will fail due to renegotiation and when Phase-II is initiated by peer end.
As a workaround, you can disable the lifetime in KiloBytes from the peer end. I believe the peer end is Cisco ASA so you can use the following command to verify.
:"sh run all | i crypto-map".
If you can see the set lifetime, kindly change it to Unlimited using the commands:
crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

For more information please refer the following documents:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

An alternative solution, you can enable the lifetime in kilobytes in Check Point device as well by following the sk108600 scenario 6. (By default it is off) 

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-07-23 08:41 AM
Jump to solution

When you say the the VPN "goes down" what is the precise behavior observed?
What errors/logs do you see?
What version/JHF?

0 Kudos
ankitsharma6623
Participant
‎2020-07-23 09:06 AM
In response to PhoneBoy
Jump to solution

Hi Phoneboy,

the  issue got resolved 

TAC analyzed the VPN debugs and found that, Check Point is receiving Phase-II 
lifetime in KiloBytes from the peer end ASA fw.
By default Check Point doesn't support or accept the lifetime in KiloBytes:
<== Remote peer(X.X.X.X)
SA Life Type:        Seconds
SA Life Duration:    28800
SA Life Type:        KiloBytes
SA Life Duration:    4608000
Encapsulation Mode:    
Authentication Alg:    HMAC-SHA1
Key Length:        256
==> Sent to peer X.X.X.X
Notify Type:    24576 (RESPONDER-LIFETIME)
SPI:
68 88 bd 2a
Notify Data:
80 01 00 02 00 02 00 04 00 00 00 00
SA Life Type:        KiloBytes
SA Life Duration:    0
Here Check Point is replying with lifetime as 0, it means we do not support or accept it.
You will be able to see several kinds of the issue where the re-keying process will fail due to renegotiation and when Phase-II is initiated by peer end.
As a workaround, you can disable the lifetime in KiloBytes from the peer end. I believe the peer end is Cisco ASA so you can use the following command to verify.
:"sh run all | i crypto-map".
If you can see the set lifetime, kindly change it to Unlimited using the commands:
crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

For more information please refer the following documents:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

An alternative solution, you can enable the lifetime in kilobytes in Check Point device as well by following the sk108600 scenario 6. (By default it is off) 

0 Kudos
ankitsharma6623
Participant
‎2020-07-23 09:09 AM
In response to ankitsharma6623
Jump to solution

Issue got resolved post making the required change on ASA firewall. i.e we set the data limit ASA from xxxxxxKB  to unlimited in crypto map settings using below command.

 

crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes { number | unlimited }}

 

 

 

“3rd party VPN peer proposes Phase 2 lifetime in kilobytes

Symptoms:

A Phase 2 lifetime in kilobytes is configured on the 3rd party VPN peer. Therefore, it offers it in addition to the lifetime in seconds.

 

This means the peer wants to renegotiate the tunnel at the end of the lifetime in seconds, or after the number of specified kilobytes has been encrypted - whichever happens first.

 

On the Check Point Security Gateway, Phase 2 lifetime is configured only in seconds. Therefore, even though it accepts the proposal for Phase 2 lifetime from 3rd party VPN peer in kilobytes, it also sends back a "RESPONDER-LIFETIME" notification to notify that it is only going to enforce the Phase 2 lifetime in seconds.

With some 3rd party VPN vendors, it is necessary to match the exact initiator's proposal, including the lifetime in kilobytes. Otherwise, they will drop the tunnel and initiate a new negotiation over and over again.”

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events