- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello guys,
I have troubles with a Site-to-Site VPN between a R77.30 and a CISCO ASA Gateway.
The subnets on my side:
192.168.4.0/22
192.168.30.0/22
192.168.40.0/22
I have 3 subnets on my side which needs to access 12 subnets on the other side.
The 12 subnets are in the Encryption Domain. However only devices only 2 subnets can ping a remote Host.
The hosts 192.168.4.1 and 192.168.40.1 can ping 192.168.2.12 in the remote subnet.
The connection from 192.168.30.0/22 is very unstable and I get timeouts longer then half a day. At some point the connection is working again. On both sides nothing was changed. Can someone help? I don't know how to troubleshoot the issue.
Doesn't it look like something worth asking tech support of the vendor to deal with your exact networks and setup?
VPN R77 Versions Administration Guide
How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?
Also this KB can be a good start
then you need to ensure what's the design (routing mecanism, encryption domain, provider implementation of protocols)
then turn on complete debug following Aleksei Shelepov suggestion.
after the log collect, install IKE View Tool and try understanding something. (@checkpoint please hear me crying... rewrite this tool and add it to the diagnosticview tool ! )
Hello I tried debug with IKEView. I saw that Lifetime and Encryption of Phase 1 was different. I corrected this but now Iam unable to establish Phase 1.
Iam stuck in MM MM packet 3 (20:56:18)- Thu Jul 5 2018
Transport: UDP (IPv4)
PeerIP: xxxxxxx
PeerPort: 500
Peer Name: gw_CHINA
==> Sent to peer x.x.x.x
The parameters of Transform Payload - KEY_IKE like Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, Life Type,Group Description and Life Duration are equal on both sides.
Have you checked the PSK again? MM3 should be part of the key exchange.
Otherwise, what type of VPN Tunnel Sharing is configured in the community?
If your phase 1 comes up again, you see the information in P2, if if needed you can try between the 3 options. I had some problems with 3rd party gateways in the past, when using "One tunnel per subnet pair" or "One tunnel per gateway pair" depending what the partner had configured.
I would suggest to go thru sk108600: VPN Site-to-Site with 3rd Party.
Do you have access to the ASA to view the configuration / logs there...?
Most common issue is the "One tunnel per subnet pair" setting not set. Also I had some issues with pfs group set to higher than group5, for any reason, it only worked with group 5 or less.
Next one would be to have a look at the IPSEC and IKE session details on ASA side, to see, if your packets arive there but are not routed back correctly or other issues...
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY