This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amit_Singh3
Explorer
‎2018-08-24 07:35 AM

Site to Site VPN - Check Point R80.10 to Cisco ASA - Troubleshooting

Moderators Note: the original poster removed the origins content of this post. However, the replies to this post may be useful if you're trying to troubleshoot a VPN between Check Point and Cisco.

6 Replies
PhoneBoy
Admin
Admin
‎2018-08-24 11:17 AM

Some additional debugging steps here: VPN Site-to-Site with 3rd party 

In general, if you can establish tunnels one way but not the other, this points to a difference in how each side is defining it's encryption domain.

Timothy_Hall
Champion
Champion
‎2018-08-25 07:28 AM

As a quick test, try setting VPN Tunnel Sharing to "pair of hosts" in the Community settings and reinstalling policy.  If A can now initiate to B it is definitely a subnet/Proxy-ID/encryption domain issue in IKE Phase 2.  However just because this setting makes it work DOES NOT mean you should just leave it set to that and call it good, as this setting can result in a very large number of Phase2/IPSec tunnels being formed.   Set it back to "pair of subnets" then take a look at Scenario 1 in the SK Phoneboy posted.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
Yuri_Slobodyany
Collaborator
‎2018-08-25 09:23 PM
In response to Timothy_Hall

Can't count how many times, especially CP vs Cisco ASA this fixed the problem - changing from "tunnel per subnet" to "tunnel per hosts" Smiley Happy . The drawback is it does create lots of tunnels this way loading the firewall.

And by the way I saw it happening just out of the blue - no config changes on either side, encryption domains match 1 to 1, still either one direction of VPN stops working, or even some specific hosts in the same network get dropped.

PS For advocates of "it is  a hack!" , "quick fixes are bad", "you should debug the issue, recompile the firewall code, fix the bug" - (if you come from another planet) in the capitalism, who pays the money decides what is good for him/her, and when presented with either quick fix or fundamental/taking from hours to days debug the client still wants 'quick-fix' - you do what the client asks.

https://www.linkedin.com/in/yurislobodyanyuk/
Matan_Suissa
Employee
Employee
‎2018-08-29 12:42 AM
In response to Timothy_Hall

Hey Timothy. 

Please look at sk108600 scenario 1. I think it will solve your problem Smiley Happy. If you have additional 3rd party issues I will be glad to assist.

Thanks.

0 Kudos
Matan_Suissa
Employee
Employee
‎2018-08-26 01:13 AM

Hey.

Its interesting that checkpoint is doing nat.

can you please check what are the values that you have in this setting:

Advanced NAT-T Configuration

These variables are defined for each gateway and control NAT-T for site-to-site VPN:

Item

Description

Default Value

offer_nat_t_initator

Initiator sends NAT-T traffic

true

offer_nat_t_responder_for_known_gw

Responder accepts NAT-T traffic from known gateways

true

force_nat_t

Force NAT-T even if there is no NAT-T device

false

The variables can be viewed or changed in GuiDBedit under:

TABLE > Network Objects > network_objects > <gateway_object> > VPN.

Thanks, 
Hugo_vd_Kooij
Advisor
‎2018-08-28 03:49 AM

Some things to considere:

 - Check Point VPN-1 can supernet networks and this is not accepted by most other parties. (Documented in Secure Knowledge)

 - Cisco ASA can accept things in phase 2 which are not right on initial contact but refuse them later on when it is time to rekey. (Thanks for Cisco TAC engineer for sharing that gold nugget of wisdom as it is not documented.)

While none of these may apply it is good to understand that every vendor has it's little features to make troubleshooting interesting.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>