Strange issue Checkpoint R77.30 site-to-site VPN with Cisco ASA

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

There is VPN site-to-site with Cisco ASA in Meshed community. Only two gateways paticipating.
We use Checkpoint R77.30, other side uses Cisco ASA.
VPN Domain includes several networks at both sides.

Two newly added networks doesnt works: I can see packets from our networks being successfully encripted, but no return traffic followed. As partner assured me, that he also added network from his side, I suggested that Checkpoint summarize networks and there is a problem with ipsec sa.

I tried to find out how Checkpoint creates ipsec sa via "fw tab" command, but found nothing.

(Looking ahead, partner just forgot add this new networks in Cisco ASA config)))))

At last I fount the discussion of similar problem, there were recommended to change "VPN Tunnel Sharing" option in "Tunnel Management" from "One tunnel per subnet pair" to "One tunnel per each pair of hosts"
This doesn't help and I returned option to "One tunnel per subnet pair".

From that point strange behavior started: some our hosts cannot get access to partner hosts, next time this hosts got access, but other lost it. This doesn't depend on network.
Finally I filtered SmartView tracker by Action = Key Install and Source = VPN Comunity Name and found that there were records:

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: subnet: 10.1.0.0 (mask= 255.255.0.0) and subnet: 192.168.0.0 (mask= 255.255.255.0)

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: host: 10.1.2.30 and host: 192.168.0.4

That is, there were SA for networks and SA for host inside this networks at the same time.

From Cisco ASA it looks the same:

sh crypto ipsec sa peer X.X.X.X

Crypto map tag: outside_map, seq num: 1160, local addr: Y.Y.Y.Y

access-list VPN extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: X.X.X.X

access-list VPN extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.0.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.2.30/255.255.255.255/0/0)
current_peer: X.X.X.X

Problem solved after resetting tunnel from Cisco ASA side.

The question is:

1. What exactly do "VPN Tunnel Sharing" option for non Checkpoint peers? Administration Guide says that this options works only in Checkpoint environment.

2. How can I check networks within SA? Is there any cli command similar to Cisco "sh crypto ipsec sa"?