- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: IKEv2 VPN with Cisco ASA - unexpected tunnel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IKEv2 VPN with Cisco ASA - unexpected tunnel
I noticed something odd about an IKEv2 VPN tunnel with a Cisco ASA. As far as I can tell, the VPN is working without any issues, but the ASA is creating an unexpected IPsec tunnel. If it is possible to clean up, that would be ideal, but if not, it doesn't seem to be causing any issues.
Setup:
- IKEv2
- Subnet-to-Subnet exchange
- Using NAT
The Check Point GW is running R81.10 Take 130, not sure of the Cisco ASA.
The Check Point is sending a public /29 to two different /32 devices on the ASA side. Running a debug shows that when the Cisco sends TSi for Create Child SA, it includes the following:
The first TSi with the ICMP protocol seems odd to me and the root of the issue. I have reached out to the other side with no response. Has anyone seen this before and know what setting / configuration might be causing this on the Cisco side?
- Labels:
-
Site to Site VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131.
The issue was present, I applied the update, and I haven't seen the issue in the logs since.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have configured VPN community as "subnet pair" ? Double check if traffic selectors (encryption domains) is really 1:1 on both ends.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the community is setup as subnet pair. I do not have control over the other side, and since they are ghosting me, I have to take their word that everything is setup as a subnet on their end.
Though the TSi shows a subnet in the second value, it's the first value that is wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at sk166417, IKEv2 narrowing is not isolated to Checkpoint b.t.w.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I looked over that earlier, it's informative.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know guy I used to work with showed me how to fix this on Cisco side. He used to work for Cisco TAC in India, said they used to see this issue all the time. Supposedly there was some sort of a bug in a certain version, but was fixed later. Will see if I can find any notes about it.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds good. I was also wondering if it was a certain Cisco version, I thought I had this issue with another Cisco VPN, but I am having a difficult time finding it at the moment, but maybe they upgraded and resolved it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have good buddy I also worked with and he may know where the guy currently works, so let me see if we can get a hold of him : - ). Its been probably 7 years since I dealt with Cisco, mind you only with ASA, but I have lots of commands from notes I took back in the day.
I will keep you posted on what I find.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever find anything?
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I upgraded to R81.10 JHF 131 and the issue is currently resolved from what I can tell. Not sure if the Cisco side has changed anything, never heard back from the third-party.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131.
The issue was present, I applied the update, and I haven't seen the issue in the logs since.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's check for this:
- https://support.checkpoint.com/results/sk/sk170857 (fixed in T131)
- find out for any duplicate objects related to host/subnets in your vpn tu tlist output. If found, delete them from mgmt, install policy and reset tunnel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That could be related...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have definitely have that bug on another tunnel, but this seems to be different as it's coming from the Cisco side.