Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
1
Replies

Erroneous SPI/child SA in IPSEC tunnel between Cisco ASA & Checkpoint

shenseung.lim
Level 1
Level 1

‎10-11-2022 11:43 PM

 

Dear folks, I take much pleasure in greeting you and bidding you a good day

A quick foreword is that I'm by all means a novice at best with regards a peculiar issue that has come upon me , allow me to relate some grounds with regards the titular matter of IPSEC malformed. I lay the matter in seek of both thoughts from you wise ones who know a little of ASA and also Checkpoint's behavior with ASA.

We are a hosting provider that hosts systems for customers, 

We have on our end a trustee Cisco ASA 5545 (version 9.8.4.25) and the customers end boasts a Checkpoint deployed with what is know as " VPN Domain" mode. I have no control nor visibility into the Checkpoint, although in our conversations in is determined that the Checkpoint does a default super-netting in relation to negotiating the tunnel.

To date, we have taken the time to go though and match the tunnel parameters and they appear in tact without any quick identifiable wins. The matter is an old one and has seen problems right from the initial conception of the tunnel itself historically.

The mystery : 
Whenever a "malformed " Child SA or IPSEC SA appears on my ASA, a particular user's subnet has cannot reach the hosted systems.

To lay the basics:
Hosted systems subnet :  10.10.61.0/24
The "problematic" subnet  : 10.145.0.0/16


One a good day when all is well and users are getting the connectivity they required, the child SA and IPsec observes to be as such:
###############################################
###sh cry isa sa :###

IKEv2 SAs:

752220315 194.0.155.136/500 194.182.18.48/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/2143 sec

Child sa: local selector 10.10.61.0/0 - 10.10.61.255/65535
remote selector 10.145.0.0/0 - 10.145.255.255/65535
ESP spi in/out: 0x367cda1f/0x9c144c62

###sh cry ips sa : ###
access-list outside_cryptomap extended permit ip 10.10.61.0 255.255.255.0 10.145.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.145.0.0/255.255.0.0/0/0)
current_peer: 194.182.18.48

 

On bad days.....( when users come surrounding as a mob)
###############################################

###sh cry isa sa :###

IKEv2 SAs:

752220315 194.0.155.136/500 194.182.18.48/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/2143 sec

Child sa: local selector 10.10.61.0/0 - 10.10.61.255/65535
remote selector 10.145.0.0/0 - 10.145.255.255/65535
ESP spi in/out: 0x367cda1f/0x9c144c62
Child sa: local selector 10.10.61.0/0 - 10.10.61.255/65535
remote selector 10.145.21.0/0 - 10.145.25.255/65535
ESP spi in/out: 0x367cda1f/0x9c144c62

 

###sh cry ips sa : ###

access-list outside_cryptomap extended permit ip 10.10.61.0 255.255.255.0 10.145.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.145.16.0/255.240.0.0/0/0)
current_peer: 194.182.18.48

 

So, when the baddies shows up on the show outputs of ASA, is when I've observe the same when user's typically sounds the alarms. Of course the fix is to clear the ipsec sa and this typically remove the seen malforms entries 

remote selector 10.145.21.0/0 - 10.145.25.255/65535

(10.145.16.0/255.240.0.0/0/0)

Typically , with the re-key, I see the malformed ones get cleared off

We also had an expert to help write and expect script which runs on a Crntab to reset the tunnel every midnight to ensure the next day will look better.

 

Even so, during productive hours, there are complains coming in.

It is my thought that the 10.145.16.0/12 remote ident and also the weird 10.145.21.0 is something that comes down from the Checkpoint.

 

My rather unfinished thought and question is :

-While we have plans on upgrading the Checkpoint and studying not using supernetting on it, this will take quite some bit of navigation and downtime to plan and execute.

Meanwhile, on the ASA, is there any means I can employed to "deny these Child SA and IPSEC SA from forming in the first place?

It is also to my believe that when these malforms appear, user's return traffic is split the wrong way as there are double entries on the SAs.

My sincere thanks in advance getns,

Happy networking:)

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

shenseung.lim
Level 1
Level 1

‎10-13-2022 06:48 AM

Any takers please?

0 Helpful
Customers Also Viewed These Support Documents