Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Raj_Khatri
Advisor

Checkpoint to Cisco VPN

We have a Star VPN with 3rd Party Cisco ASA firewall (interoperable device).  The VPN is up and stable and able to pass traffic between encryption domains.  We are experiencing an intermittent issue when traffic is initiated from the Cisco side to a resource on our Checkpoint side, when it needs to traverse our Mesh VPN network. 

When the Source connects to resource that goes over 2 VPN connections, it fails on the first and sometimes second attempt but successfully connects the third attempt.  It never connects the first time.  There are no drops on FW-A or FW-B.

Working:

Source   ->   Cisco ASA   ->   Star VPN   ->   Checkpoint FW-A   ->   Resource

Not Working:

Source   ->   Cisco ASA   ->   Star VPN   ->   Checkpoint FW-A   ->   Mesh VPN   -> Checkpoint FW-B   -> Resource

Has anyone run into this?

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion

Try to setup Dead Peer Detection on the ASA, follow the SK to set the CP to work with DPD and set permanent tunnels on and set your tunnels to pair on per subnet not per host pair.

Do you happen to use  an exclusion group for the center gateway's VPN Topology? If so you could run into an issue that the CP will use per host tunneling.

Regards, Maarten
0 Kudos
Raj_Khatri
Advisor

The VPN tunnel is already configured for per subnet pair and we are using a Group with Exclusions for the center gateway VPN topology.  It appears this is the SK describing this - sk39679

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events