This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Help
bam_oida
bam_oida
Ivory
‎2018-07-04 12:18 PM

Site-to-Site VPN connection issue with CISCO ASA

Hello guys,

I have troubles with a Site-to-Site VPN between a R77.30 and a CISCO ASA Gateway.

The subnets on my side:

192.168.4.0/22

192.168.30.0/22

192.168.40.0/22

I have 3 subnets on my side which needs to access 12 subnets on the other side.

The 12 subnets are in the Encryption Domain. However only devices only 2 subnets can ping a remote Host.

The hosts 192.168.4.1 and 192.168.40.1 can ping 192.168.2.12 in the remote subnet.

The connection from 192.168.30.0/22 is very unstable and I get timeouts longer then half a day. At some point the connection is working again. On both sides nothing was changed. Can someone help? I don't know how to troubleshoot the issue.

Reply
6 Replies
AlekseiShelepov
AlekseiShelepov
Gold
‎2018-07-05 12:53 AM

Re: Site-to-Site VPN connection issue with CISCO ASA

Doesn't it look like something worth asking tech support of the vendor to deal with your exact networks and setup?

VPN R77 Versions Administration Guide 

VPN Troubleshooting Solutions 

How to run complete VPN debug on Security Gateway to troubleshoot VPN issues? 

Reply
Pierre-Aymeric_
Pierre-Aymeric_
Iron
‎2018-07-05 04:08 AM

Re: Site-to-Site VPN connection issue with CISCO ASA

Also this KB can be a good start

Site to Site with 3rd party

then you need to ensure what's the design (routing mecanism, encryption domain, provider implementation of protocols)

then turn on complete debug following Aleksei Shelepov‌ suggestion.

after the log collect, install IKE View Tool and try understanding something. (@checkpoint please hear me crying... rewrite this tool and add it to the diagnosticview tool ! )

0 Kudos
Reply
bam_oida
bam_oida
Ivory
‎2018-07-05 12:34 PM

Re: Site-to-Site VPN connection issue with CISCO ASA

Hello I tried debug with IKEView. I saw that Lifetime and Encryption of Phase 1 was different. I corrected this but now Iam unable to establish Phase 1.

Iam stuck in MM MM packet 3 (20:56:18)-  Thu Jul 5 2018

 

Transport:        UDP (IPv4)
PeerIP:            xxxxxxx
PeerPort:        500
Peer Name:        gw_CHINA

 

==> Sent to peer x.x.x.x

 

The parameters of Transform Payload - KEY_IKE like Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, Life Type,Group Description and Life Duration are equal on both sides.

0 Kudos
Reply
Georg_Reichau
Georg_Reichau
Iron
‎2018-07-09 10:11 AM

Re: Site-to-Site VPN connection issue with CISCO ASA

Have you checked the PSK again? MM3 should be part of the key exchange.

Otherwise, what type of VPN Tunnel Sharing is configured in the community?

If your phase 1 comes up again, you see the information in P2, if if needed you can try between the 3 options. I had some problems with 3rd party gateways in the past, when using "One tunnel per subnet pair" or "One tunnel per gateway pair" depending what the partner had configured.

0 Kudos
Reply
G_W_Albrecht
G_W_Albrecht
Jade
‎2018-07-05 04:13 AM

Re: Site-to-Site VPN connection issue with CISCO ASA

I would suggest to go thru sk108600: VPN Site-to-Site with 3rd Party.

0 Kudos
Reply
Daniel_Meier
Daniel_Meier
Copper
‎2018-07-09 12:24 PM

Re: Site-to-Site VPN connection issue with CISCO ASA

Do you have access to the ASA to view the configuration / logs there...?

Most common issue is the "One tunnel per subnet pair" setting not set. Also I had some issues with pfs group set to higher than group5, for any reason, it only worked with group 5 or less.

Next one would be to have a look at the IPSEC and IKE session details on ASA side, to see, if your packets arive there but are not routed back correctly or other issues...

0 Kudos
Reply