cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
1
Replies

ASA VPN to Checkpoint traffic drop - Mismatch in IKE and IPSec SAs -

roger perkin
Level 2
Level 2

I am troubleshooting a VPN issue between an ASA5505 and and a checkpoint 

The VPN comes up fine and all traffic outbound from the ASA (Remote Site) is working fine 

However at random periods during the day inbound traffic fails - this can be up to 20 minutes. Then traffic starts to flow again. 

The checkpoint admin has identified this issue

The Check Point by default tears down both the IKE and IPSec SA whenever the IKE Timer runs out while the ASA appears to only take down the IKE SA waiting to renew the IPSec SA until it times out. This causes the ASA to use an SA that is no longer available on the Check Point which results in the Check Point dropping the packets.

Is there a setting on the ASA that could resolve this solution or does the fix need to be applied on the Checkpoint. 

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association pmtu-aging infinite

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

ASA was running fine on 8.4 code - then following an upgrade to 9.1(6) this problem started to happen. 

I have done a bit more research and the default timer on a Checkpoint seems to be 28800 - but need to confirm this. 

So am looking at this change 

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800 <

Thanks

Roger

1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

Can you change over to using IKEv2?  IKEv2 is much more standardised around this sort of thing.  I suspect it would sort the issue out.

If you can enable DPD it will reduce the issue quite a bit as well.  I'm not sure that Checkpoint supports DPD.  This would only treat the symptom.