ASA - Checkpoint VPN Site to Site Problem

Andres Franco · ‎12-12-2012

Hello There, my best wishes to all of you.

I have this scenario:

ServerA(FTP)----DMZ-------ASA_Site1-----------------------Cloud---------------------------Checkpoint1_Site2-------Checkpoint2_Site2---------Inside-----ServerB(FTP)

We are trying to establish an IPSec site to site VPN between Cisco ASA and Checkpoint (as depicted above). We have check interesting traffic, PSK, IKE Policies, and Transform Sets and everything seems to be ok. When defining the interesting traffic between ServerA and SeverB, everything works great, Phase 1 is establish, as well as Phase 2 when we generate some pings. But if we try to generate any other kind of traffic (http, ftp) with the VPN being active, we start getting Phase 2 erros with SA. We have tried to change the interesting traffic to FTP but we get the same errors all the time. The guy handling the checkpoint said that for icmp traffic he sees the traffic on the logs of both checkpoints, but for any other type of traffic, it seems to reach only checkpoint 1 firewall. Any ideas? suggestions?. I have attached the ASDM logs for reference. Thanks in advance.

david.tran · ‎12-12-2012

0- on your ASA, do you also terminated VPN client as well? If that is true, do you use "no-xauth" and "no-config" for the site-2-site VPN between your ASA and the Checkpoint firewall? Otherwise, you will have issue(s)

1- is the Lan-2-Lan VPN terminated between the ASA and Checkpoint1?

2- Is the checkpoint using "traditional mode" (I don't think anyone using anymore) or Simplified mode (aka VPN community)?

3- Checkpoint2 is just functioning only as a firewall, NOT VPN device, correct?

4- When ServerA ping ServerB, based on what you say, it is working because the the firewall can see logs on both sides. BUT, when ServerA ping ServerB, do you see echo-reply on ServerA. In other words, do you see the ping successful?

Just because the checkpoint guy says he sees the logs of both checkpoint does NOT mean anything. The way to verify this is to run "tcpdump" on checkpoint2 on the interface close to ServerB. If he see echo request outbound toward the serve and echo-reply inbound to checkpoint2 inside interface, then we can confirm that icmp is working.

5- "but for any other type of traffic, it seems to reach only checkpoint 1 firewall.", in the log, he should see "decrypt" for checkpoint1. The best thing to do is tcpdump on the checkpoint firewall, he should see ESP inbound on checkpoint1 facing the cloud. Then assuming that IPSec is working properly, he should see "unencrypted" traffics on the inside interface leaving of checkpoint1 and toward checkpoint2.

6- When everything fails, use "debug ike on" on Checkpoint and tcpdump or fw monitor to troubleshoot this kind of thing?

Andres Franco · ‎12-12-2012

Wow, that was more than I expected for an answer. Thanks. Ok, now my turn to answer your questions:

0- On the ASA, yes, I terminate VPN clients for remote access. I didn´t know this could be an issue. I will take into account your suggestion, i will try it and let you know.

1- Yes, the site 2 site VPN is terminated between ASA and checkpoint1.

2- Traditional VPN, traditional mode.

3- Yes checkpoint 2 is working only as a Firewall in this scenario.

4- No, i don´t see echo replies. The problem is that the guy at the other end does not manage the server, he only takes care of the checkpoint ( Not me, so i have no way to perform tcpdumps unless i request this to him, but he didnt propose that). The person who manages the ServerB has not been available, we were assuming (great mistake) that could be a firewall on ServerB (the reason of no echoes-replies).

5&6- I will suggest this, i have no control over the checkpoint.

Do you have additional comments after reading my answers? Thanks a lot, the issue is more clear to me now.

david.tran · ‎12-13-2012

Based on what you're telling me, I am not sure if the VPN is working at all. The problem with ASA or Cisco devices in general is they lack the troubleshooting tool for issue like this, as your case clear point out. Anyway, here is what you need to do:

1- tell the checkpoint person to perform tcpdump on the checkpoint1 on the interface connect to the "cloud": tcpdump -nnni ethx host x.x.x.x (where ethx is the interfacing the cloud and x.x.x.x is your ASA outside interface). if everything works, he should see isakmp (udp 500) and esp (proto 50) on this interface

2- perform on checkpoint1 interface facing checkpoint2: tcpdump -nnni ethx host a.a.a.a and host b.b.b.b (where ethx is the interface on checkpoint1 facing checkpoint2 and a.a.a.a is serverA and b.b.b.b is serverB). if everything works, he should see echo request on this interface heading toward checkpoint2 external interface. At this point it proves that you site-2-site VPN works properly

3- perform tcpdump on checkpoint2 interface facing checkpoint1: tcpdump -nnni ethx host a.a.a.a and host b.b.b.b

(where ethx is the interface on checkpoint2 facing checkpoint1 and a.a.a.a is serverA and b.b.b.b is serverB). if that works, he should see echo request on the checkpoint2 external interface

4- perform tcpdump on checkpoint2 interface facing the serverB: tcpdump -nnni ethx host a.a.a.a and host b.b.b.b

(where ethx is the interface on checkpoint2 facing serverB and a.a.a.a is serverA and b.b.b.b is serverB). if that works, he should see echo request on the checkpoint2 internal interface leaving the interface heading towards the server.

At this stage, assuming all of this is true, you just prove the path from the ServerA to serverB is good. Now you need to prove the reverse is true.

5- in step 4, you should see an echo-reply on the checkpoint2 interface facing serverB. If you do NOT, it means the serverB itself does not know how to route back to ServerA.

Now you get the idea.