Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leader_Kiongi
Contributor
Jump to solution

VPN Tunnel to Cisco ASA doesn't work

Hello,

We’ve setup a VPN tunnel from our Check Point DC firewall to a Cisco ASA firewall in Australia but it doesn’t work. In logs (and IKEView), we see: Auth exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <IPv4 Universal Range> MyTSr: <My Peer's public IP>.

 

We’ve tried what is proposed in sk157473 but no luck.

IKEView (legacy_ikev2.xmll), during authentication, Check Point proposes "IPv4 Universal Range" as its own traffic selector and the IP of the peer as TS for the peer but ASA refuses this in its response. Why doesn't Check Point propose its own public IP as TS ?
Can you help us find the issue?

Thanks in advance for your help.

Regards,

Alain

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Hey @Leader_Kiongi 

See if you can do changes I proposed in below link to Rich. Let us know if that helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175...

View solution in original post

22 Replies
G_W_Albrecht
Legend
Legend

Tried sk108600: VPN Site-to-Site with 3rd party yet ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Leader_Kiongi
Contributor

Thanks @G_W_Albrecht . Yes I already had a look at sk108600 but I don't see any scenario similar to my issue.

Regards,

Alain

G_W_Albrecht
Legend
Legend

Better contact TAC to get this resolved asap !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Leader_Kiongi
Contributor

Yes already opened a ticket with our partner, we don't have direct support with Check Point. But no feedback from them yet.

0 Kudos
the_rock
Legend
Legend

Hey @Leader_Kiongi 

See if you can do changes I proposed in below link to Rich. Let us know if that helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175...

Leader_Kiongi
Contributor

Thanks @the_rock  for your feedback. I could only change ike_p2_enable_supernet_from_R80.20, which can be changed on community basis. ike_enable_supernet and ike_use_largest_possible_subnets are global properties and changing those would have a huge impact on the VPN tunnels that are already working. The thing is that we have many other working tunnels with 3rd parties (Cisco, Fortinet etc...) with those settings set to true. Really don't understand.

 

Thanks !

Regards,

Alain 

0 Kudos
the_rock
Legend
Legend

No worries, I understand. I will tell you I had people change those many times before without any issues. Btw, those values should be set to FALSE to begin with. But, keep us posted on what TAC says.

Andy

0 Kudos
Leader_Kiongi
Contributor

Hi @the_rock , 

I made the changes, pushed policy and reset the tunnel but still the same error. Something curious is that the tunnel shows as up in SmartView Monitor but ping doesn't work and in SmartConsole and IKEView I see the error "Traffic selectors unacceptable". Check Point still proposes "IPv4 Universal Range" as Traffic Selector, which is rejected by the ASA.

Any idea ?

 

Thanks !

Regards,

Alain IKULA

0 Kudos
the_rock
Legend
Legend

How do you have tunnel management tab configured inside vpn community on CP side? Can you send a screenshot please? That message tells me it does not like something about phase 2 config.

Andy

0 Kudos
Wolfgang
Authority
Authority

@the_rock Andy is on the right way. The problem looks like related to tunnel management settings. Check your settings (subnet pair or gateway pair or host pair) The same must be defined on the Cisco ASA site, this is a common mistake.
Have a look at Site to Site using IKEv2 fails with "None of the traffic selectors match the conection 

Is the ASA object configured as interoperable device ?

0 Kudos
the_rock
Legend
Legend

Thats honestly the only thing left that makes sense to me. @Leader_Kiongi , here is the best Cisco vpn debug commands I got while back from the guy who used to work in Cisco TAC. If you can have them run this, should give better insight as well.

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

0 Kudos
Leader_Kiongi
Contributor

Thanks @Wolfgang @ . Unfortunately, I already tried all tunnel management options (host pair, network pair and gateway pair) but still the same result. Check Point keeps proposing "IPv4 Universal Range" as Traffic Selector, but ASA refuses it. Yes I already had a look at sk157473 and yes Cisco ASA is configured as interoperable device
Thanks !

Regards,

Alain

0 Kudos
svori
Contributor
Contributor

Now i am not sure which steps you already have taken or what Check Point version you are running but

there are some things i would try in an effort to rule out some issues.

IKE Version, are running v1 or v2 in the community ? Possible to switch and test ?

IPv4 summarization, Check Point fw is going to try to summarize the networks in the encryption domain which will cause issues if the other end has 2 /24's for example and Check Point is presenting a /23.

Are there more VPN tunnels to this Check Point endpoint ? Have you considered trying to use "Encryption Domain per Community"

 

0 Kudos
Leader_Kiongi
Contributor

Thanks @svori . We're using IKEv2. Already tested with IKEv1 but same issue. What's curious is that same settings are being used  with another Check Point in Azure and it works. The only difference here is that my encryption domain is a test encryption domain with three /32 networks. 

IPv4 summarization has been disabled by switching those 3 settings to FALSE using GUIDBedit: 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

I'm hopeless. No feedback yet from TAC.

 

Thanks !

Regards,

Alain

0 Kudos
the_rock
Legend
Legend

How is tunnel management configured? Can you send a screenshot please? I referenced to it yesterday : - )

Andy

0 Kudos
Leader_Kiongi
Contributor

Hello @the_rock. Here you are:

 

Tunnel_Management.PNG

Since around 01.00 PM, tunnel is up, though ping still doesn't work. My colleagues in Australia need to check if they see my incoming ping and maybe firewall rule is missing but traffic is now successfully encrypted in the tunnel. I think the change you proposed here https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175... made the trick. We still have to confirm with colleagues in Australia  on Monday. I'll keep you posted.

 

Thanks a lot guys for your support. This community is incredible

 

Regards,

Alain

the_rock
Legend
Legend

@Leader_Kiongi Glad we can help mate, its always team effort on here! Funny story...one time, I was on the phone with TAC guy and the customer (customer I know very well personally) and TAC guy sends us a link and he goes "Here is the link I found, this is the guy called rock on community and I think he knows lots of stuff" and customer says to him "Hm, yea, I always wonder who that dude is" and it took support guy few minutes to figure out it was me HAHAHA

We all laughed about it later, it was sort of funny lol

Though as I said in the post you referenced, I had been know to fix some issues here and there in last 15 years, but nothing like community legend @PhoneBoy 

Leader_Kiongi
Contributor

This is really funny. I'll mark as solution if our Australian colleagues confirm on Monday.

Have a nice week-end

 

Regards,

Alain

0 Kudos
the_rock
Legend
Legend

All good mate, just let us know if it gets resolved, thats way more important!

Cheers,

Andy

0 Kudos
Leader_Kiongi
Contributor

Confirmed! The issue can be marked as resolved. Thanks guys for your support

the_rock
Legend
Legend

Glad it helped you mate. As my good friend would say, we are after all brothers from different mothers helping each other out : - ). Its not Oscar Wilde, more IT geek type of poetry lol

Anyway, happy it all got sorted out.

Cheers and dont hesitate to reach out directly if any issues down the road.

Andy 

BobAnakshieGIF (2).gif

the_rock
Legend
Legend

Apologies mate, forgot to attach a screenshot. This is what I was referring to.

Andy

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events