04-10-2022 02:49 PM
Hi Team,
We have a S2S VPN with IKEv1 configuration between Cisco Firepower ver 6.4.0.9 and Checkpoint(on AWS) ver R80.10.
All VPN parameters match exactly but the VPN even though shows active it does not allow any traffic flow, few hours before the the Phase 1 Lifetime expires.
The only way to make it work is doing a VPN Phase 1 reset which immediately restores the tunnel. The next days the issue reoccurs with the same logs and we have to perform reset.
We get following logs on Firepower:
%FTD-7-710006: ESP request discarded from <Remote GW IP> to Port-Channel-3.2003-External:<Local GW IP>
Is there a known issue between Cisco & Checkpoint or could be due to a configuration mismatch at one end. We have verified the VPN Phase 1 and Phase 2 config multiple times and it matches exactly. Any inputs please would be helpful.
04-10-2022 03:26 PM - edited 04-10-2022 03:27 PM
IKEv1 or IKEv2?
IKEv2 after finish Phase2 they build Key with PFS and then they regenerate the key if you not enable this in both side then the traffic is drop.
04-11-2022 04:18 AM
Is the FTD setup for VPN correctly. what is your tunnel group configuration. If outbound is working and inbound is not working, then that
means the FTD is not able to receive the VPN traffic properly.
what is the config on the show run cry map
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide