Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TroubleGalore
Participant

VPN issue Cisco ASA - Checkpoint

Hi

We are experiencing an issue between our Checkpoint FW-1 R80.10 and Cisco ASA.   The tunnel is establishing fine with P1 and P2, but after some time there is some sort of re-keying issue and the other side needs to reset the tunnel to get the traffic flowing again.   We have checked lifetimes and Proxy identities several times and cannot find any issue there.

 

We switched from ikev2 to ikev1 because of some issues some months ago, but after we changed to ikev1 the tunnel was stable for a couple of months before we have the constant issues now. A reset is needed more or less once a day. 

 

With Ikedebug I can see that some sort of deletes being sent and I can see the checkpoint is sende P1 packets every minute even tough the tunnel is up and working.   But eventually something times out(?) and a reset needs to be done. The the P2 negotiations with subnet pairs happens as they should.

 

I have tried to change the ike_keep_child_interoperable_device to true via GUIDBEdit without any noticable improvement. 

Any suggestions at all? The P1 and P2 timers are both set to 8 hours.  As this is a prod environment ther is a limit to the debug I can run.

 

0 Kudos
10 Replies
the_rock
Advisor

Hi...is keep ike sas checked in global properties? Also, when this happens, what does basic ike debug show? 

0 Kudos
TroubleGalore
Participant

Hi Rock, No the keep_ike_sa's is not checked…. 

From those "VPN Advanced Properties"=>"VPN Ike Properties" Ike_handle_initial_contact and ike_handle_frags is checked. ike_send_intitial_contact and keep_IKE_SAs are unchecked.

The Ikedebug shows that after some period of time my end starts sending phase1's every minute. this goes on until we start trying to make New Phase2(QM), they fail and until the tunnel is reset on Remote side New phase2's does not work.

 

 

0 Kudos
the_rock
Advisor

Could you check that option and push the policy and test (keep ike sas)? I also remember few times and dont ask me why, because I never gotten a logical answer to that question, but there is option on gateway properties to select under connection persistence to keep all connections, so you can try both things and see how it goes.

TroubleGalore
Participant

We tried but did not help. We also increased P1 Lifetime to 24 hours . Th error did happen less frequently.  After hours of looking into ikeviewer and suggestion from CP. It seems like we are running into SK118792.   Hopefully we can get a hotfix for this asap. Waiting for it.

0 Kudos
Timothy_Hall
Champion
Champion

Thanks for the followup, don't think I have ever run into that 2-minute timeout mentioned in SK118792 but makes sense.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin

How much time it takes for the VPN to start failing? Is it always the same time period after resetting?

0 Kudos
_Val_
Admin
Admin

How much time it takes for the VPN to start failing? Is it always the same time period after resetting? Also, anything similar to the issue described in sk115275 & sk116776?

TroubleGalore
Participant

It is after some time, not any apparent pattern. the Lifetimes per now is 8 hours for phase1 and 2. it seems a littebit random, but it is never during the first 8 hours atleast 😕

0 Kudos
Timothy_Hall
Champion
Champion

The Delete SA functionality does not work properly between different vendors most of the time.  As such if one side brings down the tunnel prior to SA lifetime expiration for any reason, the tunnel can get stuck so you have got to make sure they match between the two sides.  On Check Point SA lifetimes are expressed in minutes for Phase 1 and seconds for Phase 2, so for 8 hours they should be 480 and 28800, respectively.  Recommendations:

1) SA Lifetimes on the Cisco side should be 28800/28800.  DO NOT trust what the other administrator tells you they are set to, ask for a screenshot of the config with these values set for your tunnel.  I believe you can verify what lifetimes the two sides are specifying in your IKEview traces if you still don't believe the other administrator.  🙂

2) On the Cisco side, make sure the data lifesize is set to an unreachably high value (I don't think it can be flat-out disabled) as that can cause an early tunnel termination and hang.

3) Not sure if this applies anymore, but make sure the VPN tunnel idle timer is DISABLED on the Cisco as that can cause an early tunnel termination as well.

4) Set all checkboxes on Global Properties...Advanced...Configure...VPN Advanced Properties...VPN IKE Properties.  Note that these are global properties and may impact other tunnels.

5) Failing all of the above, enable Permanent Tunnels in DPD mode and have the Cisco enable DPD as well.  See Scenario 5 of sk108600: VPN Site-to-Site with 3rd party.  More of a workaround than a solution, but will allow the two sides to recover themselves when a hang occurs.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
TroubleGalore
Participant

Hi Timothy

1) Those are the values per now, but we have agreed to raise the phase1 to 24 hours, if anything perhaps the problem could be less frequent. 

2) they have set the date lifetime to "unlimited" and also seen in the ikeviewer that phase1 proposals seem correct.

3) will investigate

4) OK, must check this out as we dont have any check for keep_IKE_SA's nor ike_send_initial_contact

5) Ok, will see if this is feasable as last resort. I have not used the permanent tunnels configurations before

 

0 Kudos