Hey guys! We are configuring a site-to-site to a Check Point gateway. Although it initially appears to be working, with phase 1 and phase 2 being successful, the phase 2 portion keeps restarting.
All we can see from the log is that the router is sending a delete. The other side presents no errors. I'm copying the log below.
We can't figure out why it is sending this delete... Originally we thought it was because the lifetimes did not match, but they are both set to use 3600 seconds and 4608000 KB. All parameters are matching...
Any thoughts on what could be going on?
un 18 12:53:05.780 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at Y.Y.Y.Y
Jun 18 12:53:13.140 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 18 12:53:16.784 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 18 12:53:16.784 UTC: Delete IPsec SA by DPD, local X.X.X.X remote Y.Y.Y.Y peer port 500
Jun 18 12:53:16.784 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= xxxxxxxx, sa_proto= 50,
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3085
(identity) local= xxxxxx, remote= yyyyyyy,
local_proxy= xxxxxxx/255.240.0.0/0/0 (type=4),
remote_proxy= xxxxxxxx/255.255.224.0/0/0 (type=4)
Jun 18 12:53:16.784 UTC: IPSEC(update_current_outbound_sa): updated peer xxxxxxx current outbound sa to SPI 0
if you see the config is good and was worked before. if other side checkpoint R80.X we have seen some issue around checkpoing with Cisco.
Re-creating by delteing tunnel on checkpoint side and creating again was fixed. (since you confirmed it was working one)
Thanks for the reply! We tried deleting the tunnel several times and reconfiguring, with no results.
The behavior is that the phase 1 and phase 2 are up, but phase 2 keeps deleting every minute and restarting...
Good morning! On the Check Point side, checking the IKE logs, all we see is an incoming Delete, no reason given. Screen show below. It goes through a bunch of DPD packets and then a delete.
Going through this again, we are thinking it is a version issue. The router is on code 15.0 which is very outdated.
Did you try disabling the lifetime on the Router for kilobytes?
I think that this kilobytes lifetime for Phase 2 is living only in the Cisco's world.
no crypto ipsec security-association lifetime kilobytes