This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bam_oida
Explorer
‎2018-07-04 12:18 PM

Site-to-Site VPN connection issue with CISCO ASA

Hello guys,

I have troubles with a Site-to-Site VPN between a R77.30 and a CISCO ASA Gateway.

The subnets on my side:

192.168.4.0/22

192.168.30.0/22

192.168.40.0/22

I have 3 subnets on my side which needs to access 12 subnets on the other side.

The 12 subnets are in the Encryption Domain. However only devices only 2 subnets can ping a remote Host.

The hosts 192.168.4.1 and 192.168.40.1 can ping 192.168.2.12 in the remote subnet.

The connection from 192.168.30.0/22 is very unstable and I get timeouts longer then half a day. At some point the connection is working again. On both sides nothing was changed. Can someone help? I don't know how to troubleshoot the issue.

6 Replies
AlekseiShelepov
Advisor
‎2018-07-05 12:53 AM

Doesn't it look like something worth asking tech support of the vendor to deal with your exact networks and setup?

VPN R77 Versions Administration Guide 

VPN Troubleshooting Solutions 

How to run complete VPN debug on Security Gateway to troubleshoot VPN issues? 

Pierre-Aymeric_
Participant
‎2018-07-05 04:08 AM

Also this KB can be a good start

Site to Site with 3rd party

then you need to ensure what's the design (routing mecanism, encryption domain, provider implementation of protocols)

then turn on complete debug following Aleksei Shelepov‌ suggestion.

after the log collect, install IKE View Tool and try understanding something. (@checkpoint please hear me crying... rewrite this tool and add it to the diagnosticview tool ! )

0 Kudos
bam_oida
Explorer
‎2018-07-05 12:34 PM
In response to Pierre-Aymeric_

Hello I tried debug with IKEView. I saw that Lifetime and Encryption of Phase 1 was different. I corrected this but now Iam unable to establish Phase 1.

Iam stuck in MM MM packet 3 (20:56:18)-  Thu Jul 5 2018

 

Transport:        UDP (IPv4)
PeerIP:            xxxxxxx
PeerPort:        500
Peer Name:        gw_CHINA

 

==> Sent to peer x.x.x.x

 

The parameters of Transform Payload - KEY_IKE like Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, Life Type,Group Description and Life Duration are equal on both sides.

0 Kudos
Georg_Reichau
Participant
‎2018-07-09 10:11 AM
In response to bam_oida

Have you checked the PSK again? MM3 should be part of the key exchange.

Otherwise, what type of VPN Tunnel Sharing is configured in the community?

If your phase 1 comes up again, you see the information in P2, if if needed you can try between the 3 options. I had some problems with 3rd party gateways in the past, when using "One tunnel per subnet pair" or "One tunnel per gateway pair" depending what the partner had configured.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2018-07-05 04:13 AM

I would suggest to go thru sk108600: VPN Site-to-Site with 3rd Party.

CCSE CCTE SMB Specialist
0 Kudos
Nüüül
Advisor
‎2018-07-09 12:24 PM

Do you have access to the ASA to view the configuration / logs there...?

Most common issue is the "One tunnel per subnet pair" setting not set. Also I had some issues with pfs group set to higher than group5, for any reason, it only worked with group 5 or less.

Next one would be to have a look at the IPSEC and IKE session details on ASA side, to see, if your packets arive there but are not routed back correctly or other issues...

Labels