I am troubleshooting a VPN issue between an ASA5505 and and a checkpoint
The VPN comes up fine and all traffic outbound from the ASA (Remote Site) is working fine
However at random periods during the day inbound traffic fails - this can be up to 20 minutes. Then traffic starts to flow again.
The checkpoint admin has identified this issue
The Check Point by default tears down both the IKE and IPSec SA whenever the IKE Timer runs out while the ASA appears to only take down the IKE SA waiting to renew the IPSec SA until it times out. This causes the ASA to use an SA that is no longer available on the Check Point which results in the Check Point dropping the packets.
Is there a setting on the ASA that could resolve this solution or does the fix need to be applied on the Checkpoint.
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
ASA was running fine on 8.4 code - then following an upgrade to 9.1(6) this problem started to happen.
I have done a bit more research and the default timer on a Checkpoint seems to be 28800 - but need to confirm this.
So am looking at this change
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800 <
Thanks
Roger