cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
5
Helpful
1
Replies
Highlighted

ASA <> Checkpoint S2S VPN troubles

Dear all,

I've been struggling to understand some debug output from my ASA which has a VPN configured with a remote checkpoint.

In short; the problem is within the P1 & P2 rekey timers. I've defined both timers as 28800 (8 hours). We've matched up these timers since Checkpoint firewalls will automatically delete P2 SA's after a P1 rekey. An ASA however will remain sending packets using the existing P2 SA until it's remaining lifetime runs out.

Having said that; the IPSec tunnel will go down every 6 hours. This is strange, since the timers have been set to 8 hours. After grabbing a debug output from the ASA I've found these two messages within the output of a succesful tunnel coming up:

2015-12-22,"13:26:17","Local5","Debug","ASA-HOSTNAME","%ASA-7-715080: Group = REMOTE_PEER, IP = REMOTE_PEER, Starting P1 rekey timer: 21600 seconds."
2015-12-22,"13:26:17","Local5","Debug","ASA-HOSTNAME","%ASA-7-715080: Group = REMOTE_PEER, IP = REMOTE_PEER, Starting P2 rekey timer: 24480 seconds."

This indicates that the rekey will take place before any of the actual defined timers run out. How is this possible?

Running the 'show crypto ikev1 sa detail' and 'show crypto ipsec sa peer *.*.*.*' validate that the timers are 28800 seconds. After clearing the tunnels, the remaining lifetime also matches up on both P1 and P2 and will show a value higher than the ones set in the debug output.

I'm wondering why these timer values are different in the debug logs opposite the actual configured values and the values produced by the show commands.

I hope somebody can shed some light on this!

-Hessel

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Hi Hessel

Hi Hessel

This behavior is completely normal, The lifetime is the maximum time the SA can be used for rekeying. The value you enter in the configuration as the lifetime is different from the rekey time of the SA. 

The rekey time must always be smaller than the lifetime in order to allow for multiple attempts in case the first rekey attempt fails.  The time will vary depending on the platform used, which software version, etc. 

If the ASA is the initiator it is normal that it will rekey at 75% of the lifetime set, this matches with the time that you are seeing for the rekey if your timer is 28800 then you should see the rekey at 21600 aprox

You can check this documentation for more information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#vpndisc

View solution in original post

1 REPLY 1
Beginner

Hi Hessel

Hi Hessel

This behavior is completely normal, The lifetime is the maximum time the SA can be used for rekeying. The value you enter in the configuration as the lifetime is different from the rekey time of the SA. 

The rekey time must always be smaller than the lifetime in order to allow for multiple attempts in case the first rekey attempt fails.  The time will vary depending on the platform used, which software version, etc. 

If the ASA is the initiator it is normal that it will rekey at 75% of the lifetime set, this matches with the time that you are seeing for the rekey if your timer is 28800 then you should see the rekey at 21600 aprox

You can check this documentation for more information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#vpndisc

View solution in original post