This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raj_Khatri
Advisor
‎2018-06-27 11:11 AM

Checkpoint to Cisco VPN

We have a Star VPN with 3rd Party Cisco ASA firewall (interoperable device).  The VPN is up and stable and able to pass traffic between encryption domains.  We are experiencing an intermittent issue when traffic is initiated from the Cisco side to a resource on our Checkpoint side, when it needs to traverse our Mesh VPN network. 

When the Source connects to resource that goes over 2 VPN connections, it fails on the first and sometimes second attempt but successfully connects the third attempt.  It never connects the first time.  There are no drops on FW-A or FW-B.

Working:

Source   ->   Cisco ASA   ->   Star VPN   ->   Checkpoint FW-A   ->   Resource

Not Working:

Source   ->   Cisco ASA   ->   Star VPN   ->   Checkpoint FW-A   ->   Mesh VPN   -> Checkpoint FW-B   -> Resource

Has anyone run into this?

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2018-06-27 01:51 PM

Try to setup Dead Peer Detection on the ASA, follow the SK to set the CP to work with DPD and set permanent tunnels on and set your tunnels to pair on per subnet not per host pair.

Do you happen to use  an exclusion group for the center gateway's VPN Topology? If so you could run into an issue that the CP will use per host tunneling.

Regards, Maarten
0 Kudos
Raj_Khatri
Advisor
‎2018-06-28 04:31 AM
In response to Maarten_Sjouw

The VPN tunnel is already configured for per subnet pair and we are using a Group with Exclusions for the center gateway VPN topology.  It appears this is the SK describing this - sk39679

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events