Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
3
Replies

pix 520 5.3 to checkpoint NG vpn problem

pamirian76
Level 1
Level 1

‎10-21-2004 05:32 AM

hi,

I have a pix 520 running version 5.3 and the peer is a checkpoint NG.

I've downloaded the PDF document from cisco "configuring an ipsec tunnet between a cisco secure pix firewall and a checkpoint ng firewall".

everything was working fine but the guys behind the checkpoint were getting disconnected sometimes so we decided to put the security-association lifetime to 86400, that's 1 day and the crypto ipsec transform-set pixset esp-des esp-sha-hmac

it worked great for 2 weeks but now they're getting disconnected and when this happens from what I've been told they can't reconnect again for about 10 minutes. (maybe the sadb getts cleared within 10 minutes??)

when I look in my log file I have this lines for that 10 minutes period, not just 1 but few..

%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=(my ip goes here) prot=esp, spi=0xdc525529(0)

I've done some reasearch and on cisco.com they say it's probably a syncronisation problem between the 2 peers.

can it be related to the time on both end? if on my pix I have ex: 14:30:50 (time) and NG 14:30:05 will this cause a problem?

can it be my pix software version? I have 5.3 and we're at 6.3 (I'm going to update it soon but can it be the cause) ?

has anyone had this problem and actually solved it??

thank you.

Labels:
0 Helpful
3 Replies 3

cronustech
Level 1
Level 1

‎01-06-2005 07:50 PM

Hi, did you ever resolve the issue above? We appear to be having a similar issue with a pix 515 6.3(1) and a checkpoint NG.

I would be grateful for any info you have.

thanks

Trevor

0 Helpful

pamirian76
Level 1
Level 1
In response to cronustech

‎01-07-2005 05:05 AM

hi,

well the client had 2 checkpoints each with it's own admin from 2 differents places.

my site-to-site works greant with the first checkpoint configured by the 1st admin but not the second checkpoint configured by the second admin.

unfortunatly I don't know how checkpoint works so I'm unable to say what admin 1 has done to make its checkpoint work.

but at least now the client knows that it is not related to my configs or my pix.

good luck.

use the

debug crypto ipsec

debug crypto isakmp

I think this is the command not sure ... but look under debug.

it helped me alot

0 Helpful

gerald7714
Level 1
Level 1
In response to pamirian76

‎05-17-2005 12:45 AM

hi there,

We are getting those pesky error:

decaps: rec'd IPSEC packet has invalid spi.

Did you manage to find a permanent solution ?

The only way i know is to manually type the command:

clear crypto isakmp sa

Hope to hear from you soon.

TQ

0 Helpful
Customers Also Viewed These Support Documents