Site to Site VPN issue (Checkpoint To ASA)

Louis136208

Dear team,

Hope you are all doing great.

I am experiencing an issue with a previously working VPN tunnel connected to a server behind an ASA firewall. My side is running Checkpoint R81.2. The problem began yesterday, when l was configuring a route based VPN which l later deleted after it failed.

When I run a tracert to the VPN IP from inside my network, the traffic fails at my firewall with an "Insufficient message passed" error. I can send traffic to the other site, but l am not receiving any return traffic. The engineers on the server side are observing the same behavior – they can send traffic to me but cannot receive anything from my end.

The VPN logs on our Checkpoint firewall show the following error:

Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed. To learn more see sk113479. First possible rule: Layer: Application & URL Filtering, Rule: 5. Missing classifier objects: 1: APPLICATION

I have confirmed that the VPN tunnel (Phase 1 and Phase 2) is establishing successfully, and basic routing appears to be correct. The issue seems to reside in the application filtering or inspection layer. I also checked the encryption settings for my VPN communities and those on the server — they match. There is currently no proxy between my side and the remote end.

Your contributions and insights into resolving this would be highly appreciated.

Thank you

PhoneBoy

The error message has nothing to do with your VPN issue but a function of your policy configuration.
This is described in the SK mentioned in the error message: https://support.checkpoint.com/results/sk/sk113479

What messages/errors are seen on the ASA side?

Lesley

What phoneboy said, error is not related to the vpn. This simply means that there is no data in the connection. So there is SYN -> but no packets back, or any data to work with.

We need some errors to work with. Try to search logs for remote peer IP , as dst or as src. Do the same for remote network range.

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock

I agree with the guys. Just to be thorough with this, I would do basic debug on both sides, it may give more info.

CP:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Check ike* and vpnd* files in $FWDIR/log dir

Cisco:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Best,
Andy

HeikoAnkenbrand

If Phase 1 and Phase 2 are established for incoming and outgoing, the issue may also be caused by a few other problems:

Check with the "vpn tu" tool whether you can see an incoming and an outgoing tunnel in Phase 2.
# vpn tu
Check whether the routing into the tunnel is correct.
# fw tab -f -t vpn_routing –u
Check whether “Disable NAT inside the VPN community” is enabled in the VPN Community’s “Advanced” settings. If not, try enabling it — this is a common mistake.
On the ASA, the tunnel is rebuilt not only based on time settings but also after a certain amount of data (in MB) has been transferred. Check Point cannot handle this. Disable this setting on the ASA side.
Check with tcpdump whether IPsec packets are being sent to the ASA. If you see packets there, the issue might also be on the ASA side.
# tcpdump -nn -vv -i [vpn interface] host [externel ip ASA]
Run a VPN debug as @the_rock (Andy) described.
If that doesn’t help, send a screenshot of the error message in the log.

PS:
Check Point normally uses policy-based VPN. On the ASA, you’re using routing-based VPN.
If you want to use routing-based VPN on Check Point site, you need to configure a VPN interface.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock

I would say these days MOST people would use route based VPN tunnels, that appears to be the norm anyway.

Best,
Andy

Are you a member of CheckMates?

Site to Site VPN issue (Checkpoint To ASA)