Thanks @G_W_Albrecht . Yes I already had a look at sk108600 but I don't see any scenario similar to my issue.

Regards,

Alain

Better contact TAC to get this resolved asap !

Yes already opened a ticket with our partner, we don't have direct support with Check Point. But no feedback from them yet.

Thanks @the_rock  for your feedback. I could only change ike_p2_enable_supernet_from_R80.20, which can be changed on community basis. ike_enable_supernet and ike_use_largest_possible_subnets are global properties and changing those would have a huge impact on the VPN tunnels that are already working. The thing is that we have many other working tunnels with 3rd parties (Cisco, Fortinet etc...) with those settings set to true. Really don't understand.

Thanks !

Regards,

Alain 

No worries, I understand. I will tell you I had people change those many times before without any issues. Btw, those values should be set to FALSE to begin with. But, keep us posted on what TAC says.

Andy

Hi @the_rock , 

I made the changes, pushed policy and reset the tunnel but still the same error. Something curious is that the tunnel shows as up in SmartView Monitor but ping doesn't work and in SmartConsole and IKEView I see the error "Traffic selectors unacceptable". Check Point still proposes "IPv4 Universal Range" as Traffic Selector, which is rejected by the ASA.

Any idea ?

Thanks !

Regards,

Alain IKULA

How do you have tunnel management tab configured inside vpn community on CP side? Can you send a screenshot please? That message tells me it does not like something about phase 2 config.

Andy

@the_rock Andy is on the right way. The problem looks like related to tunnel management settings. Check your settings (subnet pair or gateway pair or host pair) The same must be defined on the Cisco ASA site, this is a common mistake.
Have a look at Site to Site using IKEv2 fails with "None of the traffic selectors match the conection 

Is the ASA object configured as interoperable device ?

Thats honestly the only thing left that makes sense to me. @Leader_Kiongi , here is the best Cisco vpn debug commands I got while back from the guy who used to work in Cisco TAC. If you can have them run this, should give better insight as well.

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Thanks @Wolfgang @ . Unfortunately, I already tried all tunnel management options (host pair, network pair and gateway pair) but still the same result. Check Point keeps proposing "IPv4 Universal Range" as Traffic Selector, but ASA refuses it. Yes I already had a look at sk157473 and yes Cisco ASA is configured as interoperable device
Thanks !

Regards,

Alain

Now i am not sure which steps you already have taken or what Check Point version you are running but

there are some things i would try in an effort to rule out some issues.

IKE Version, are running v1 or v2 in the community ? Possible to switch and test ?

IPv4 summarization, Check Point fw is going to try to summarize the networks in the encryption domain which will cause issues if the other end has 2 /24's for example and Check Point is presenting a /23.

Are there more VPN tunnels to this Check Point endpoint ? Have you considered trying to use "Encryption Domain per Community"

Thanks @svori . We're using IKEv2. Already tested with IKEv1 but same issue. What's curious is that same settings are being used  with another Check Point in Azure and it works. The only difference here is that my encryption domain is a test encryption domain with three /32 networks. 

IPv4 summarization has been disabled by switching those 3 settings to FALSE using GUIDBedit: 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

I'm hopeless. No feedback yet from TAC.

Thanks !

Regards,

Alain

How is tunnel management configured? Can you send a screenshot please? I referenced to it yesterday : - )

Andy

Hello @the_rock. Here you are:

Since around 01.00 PM, tunnel is up, though ping still doesn't work. My colleagues in Australia need to check if they see my incoming ping and maybe firewall rule is missing but traffic is now successfully encrypted in the tunnel. I think the change you proposed here https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175... made the trick. We still have to confirm with colleagues in Australia  on Monday. I'll keep you posted.

Thanks a lot guys for your support. This community is incredible

Regards,

Alain

@Leader_Kiongi Glad we can help mate, its always team effort on here! Funny story...one time, I was on the phone with TAC guy and the customer (customer I know very well personally) and TAC guy sends us a link and he goes "Here is the link I found, this is the guy called rock on community and I think he knows lots of stuff" and customer says to him "Hm, yea, I always wonder who that dude is" and it took support guy few minutes to figure out it was me HAHAHA

We all laughed about it later, it was sort of funny lol

Though as I said in the post you referenced, I had been know to fix some issues here and there in last 15 years, but nothing like community legend @PhoneBoy 

This is really funny. I'll mark as solution if our Australian colleagues confirm on Monday.

Have a nice week-end

Regards,

Alain

All good mate, just let us know if it gets resolved, thats way more important!

Cheers,

Andy

Confirmed! The issue can be marked as resolved. Thanks guys for your support

Glad it helped you mate. As my good friend would say, we are after all brothers from different mothers helping each other out : - ). Its not Oscar Wilde, more IT geek type of poetry lol

Anyway, happy it all got sorted out.

Cheers and dont hesitate to reach out directly if any issues down the road.

Andy 

Apologies mate, forgot to attach a screenshot. This is what I was referring to.

Andy