Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
5
Replies

Lan-to-lan tunnel VPN 3020 problems

srivero
Level 1
Level 1

‎03-14-2007 08:24 AM - edited ‎02-21-2020 02:55 PM

I have a lan-to-lan tunnel between two sites working well but i have an intermitent problem when we connect more than one person from one site (VPN3020) to the same server in the other site (Checkpoint). The tunnel remains ok but there is no application traffic (in an intermitent way). I saw in the VPN logs that there is a continuous renegotiation of the phase 2 just when the problem appears (in the file attached). This log is repeted the same every second. The tunnel is ok in both sides and there is no problem when is used by only one person.

Labels:
Preview file
2 KB
0 Helpful
5 Replies 5

bwalchez
Level 4
Level 4

‎03-20-2007 07:08 AM

Check with your internet provider that is there any CAR applied for your internet connection which pertains to bandwidth.

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to bwalchez

‎03-21-2007 04:19 PM

Most probably the network list on concentrator does not match fully with the encryption domain configured on Checkpoint.

If checkpoint is configured on host basis, and your network list is subnet based, you will run into these issues.

*Please rate if helped.

-Kanishka

0 Helpful

isa-aston-03
Level 1
Level 1

‎07-30-2007 03:40 AM

Is this thread still active or did you find a solution? I have just had this problem myself and now have a working VPN.

0 Helpful

srivero
Level 1
Level 1
In response to isa-aston-03

‎07-30-2007 04:36 AM

I didn't find a solution. I have a Check Point firewall and I had to change my Lan to Lan tunnel fron de Cisco VPN to the firewall, where the tunnel works correctly. If you found a solution, please tell me. Thanks.

0 Helpful

isa-aston-03
Level 1
Level 1
In response to srivero

‎07-30-2007 05:30 AM

The VPN was failing to initialise in phase two.

The checkpoint was configured to not autosummarise networks. Both ends had EXACTLY the same networks defined - this is where the problem lay. We had a supernet at each end of the VPN. eg:

Cisco

(End A) - 10.10.10.0 / 255.255.254.0

CPnt (security domain)

(End B) - 10.10.20.0 / 255.255.254.0

So according to instructions, configure the EXACT same networks at each end:

In Cisco VPN

local network 10.10.10.0 / 0.0.1.255 (W/card mask)

remote network 10.10.20.0 / 0.0.1.255

now when the IKE negotiation takes place, the Checkpoint end fails it, because it breaks down the supernetted networks into individual class C's

I configured the Cisco VPN to use networks:

local networks

10.10.10.0 / 255.255.255.0

10.10.11.0 / 255.255.255.0

remote networks

10.10.20.0 / 255.255.255.0

10.10.21.0 / 255.255.255.0

Once I'd done that both ends could initiate the VPN and came up stable.

Hope this helps, let me know how you get on.

0 Helpful
Customers Also Viewed These Support Documents