- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: VPN issue between Checkpoint on AWS and Cisco ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN issue between Checkpoint on AWS and Cisco ASA on premise
Hello,
I have VPN tunnel up and running between CheckPoint R77.30 on AWS and Cisco ASA on premise. Traffic is coming from Cisco side however, from CheckPoint side it is getting dropped( Encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database) and reject ( Encryption failure: no response from peer.). Please advise
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you find, if you compared Checkpoint and ASA vpn configuration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue was due to VPN domain mismatch. Resolved now after giving same subnet IPs at both end. Check point had full subnet defined and at cisco only 3 Ips of same subnet were there
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check on your Cisco what VPN Encryption Domain networks (crypto map) the Check Point tries to negotiate with it. Adjust your Cisco config accordingly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Danny,
You were right. CheckPoint had the full remote network subnet in its VPN domian, where as at Cisco side only 3 IPs of subnet were listed. After adjusting VPN domain, connection worked fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. This type of error generally comes when mismatch of VPN Encryption domain. It should same at both end.
First it choose the valid Proposal and negotiate with same proposal. So check the Encryption method & Algorithm as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gaurav,
You were right. CheckPoint had the full remote network subnet in its VPN domian, where as at Cisco side only 3 IPs of subnet were listed. After adjusting VPN domain, connection worked fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok Great.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when you configured the VPN domain, you set up your network subnet too, in the group networks?