Create a Post
Showing results for 
Search instead for 
Did you mean: 

Strange issue Checkpoint R77.30 site-to-site VPN with Cisco ASA

There is VPN site-to-site with Cisco ASA in Meshed community. Only two gateways paticipating.
We use Checkpoint R77.30, other side uses Cisco ASA.
VPN Domain includes several networks at both sides.

Two newly added networks doesnt works: I can see packets from our networks being successfully encripted, but no return traffic followed. As partner assured me, that he also added network from his side, I suggested that Checkpoint summarize networks and there is a problem with ipsec sa.

I tried to find out how Checkpoint creates ipsec sa via "fw tab" command, but found nothing.

(Looking ahead, partner just forgot add this new networks in Cisco ASA config)))))

At last I fount the discussion of similar problem, there were recommended to change "VPN Tunnel Sharing" option in "Tunnel Management" from "One tunnel per subnet pair" to "One tunnel per each pair of hosts"
This doesn't help and I returned option to "One tunnel per subnet pair".

From that point strange behavior started: some our hosts cannot get access to partner hosts, next time this hosts got access, but other lost it. This doesn't depend on network.
Finally I filtered SmartView tracker by Action = Key Install and Source = VPN Comunity Name and found that there were records:

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: subnet: (mask= and subnet: (mask=

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: host: and host:

That is, there were SA for networks and SA for host inside this networks at the same time.

From Cisco ASA it looks the same:

sh crypto ipsec sa peer X.X.X.X

Crypto map tag: outside_map, seq num: 1160, local addr: Y.Y.Y.Y

access-list VPN extended permit ip 
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer: X.X.X.X

access-list VPN extended permit ip 
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer: X.X.X.X

Problem solved after resetting tunnel from Cisco ASA side.

The question is:

1. What exactly do "VPN Tunnel Sharing" option for non Checkpoint peers? Administration Guide says that this options works only in Checkpoint environment.

2. How can I check networks within SA? Is there any cli command similar to Cisco "sh crypto ipsec sa"?

11 Replies
This widget could not be displayed.