This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gacki
Participant
‎2022-12-20 12:46 AM

VPN SITE TO SITE

Hello,

I set up a vpn site to site with a partner, unfortunately after 30 minutes from setting up the vpn stops going through the second phase of IKE, what could be the problem?
We have the same vpn settings for phase 1 and phase 2

Thank you.

0 Kudos
11 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-20 01:30 AM

What about the peers details ? What is the error shown in logs ? 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-20 02:49 AM

VPN v1 or v2?

Start debug and see where is that failing. Hope you are aware of vpn debug commands?

vpn debug trunc

vpn debug ikeon

vpn debug on

 

once done

vpn debug ikeoff

vpn debug off

fw ctl debug 0

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-20 03:41 AM
In response to Blason_R

> VPN v1 or v2?

You mean IKE ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-20 09:37 PM
In response to G_W_Albrecht

That is correct - Wondering what was the IKE version and what is the tunnel type? Route based or policy based?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-21 12:30 AM
In response to Blason_R

Did not answer...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gacki
Participant
‎2022-12-21 12:33 AM
In response to Blason_R

Policy base, IKEv2

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-21 01:27 AM
In response to Gacki

So give us information - we only know that you have two VPN peers and use IKEv2, but no more details: no error messages, no log entries, so nobody can tell you anything usefull by now... 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-12-21 07:00 AM
In response to Gacki

I agree with @G_W_Albrecht . You did not give us much info, except its ikev2 and policy based. Thats great, but as he said, we need errors, logs you see, where it fails, phase 1, phase 2? @Blason_R provided you excellent basic VPN debug that TAC would ask you to do anyway, but you may as well call them and get this fixed, way better over remote.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-21 04:12 AM

I would suggest that you contact TAC - a quick RAS could find the issue easily and it will be resolved soon. As you do not want to explain anything here i see no other possible way...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-21 07:18 PM
In response to G_W_Albrecht

Or best way I would recommend is try disabling vpn acceleration. That has helped me lot many times.

vpn accel off -> This would reinitialize the IKE session.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Lloyd_Braun
Advisor
‎2022-12-21 10:39 AM

I have had issues with Cisco ASA VPN peers that leave their default vpn-idle-timeout at 30 minutes. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events