Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
6
Replies

Router IPSEC with Check Point

roger.karam1
Level 1
Level 1

‎06-18-2021 10:49 AM

Hey guys! We are configuring a site-to-site to a Check Point gateway. Although it initially appears to be working, with phase 1 and phase 2 being successful, the phase 2 portion keeps restarting.

 

All we can see from the log is that the router is sending a delete. The other side presents no errors. I'm copying the log below.

 

We can't figure out why it is sending this delete... Originally we thought it was because the lifetimes did not match, but they are both set to use 3600 seconds and 4608000 KB. All parameters are matching...

 

Any thoughts on what could be going on?

 

Thanks!

RK

 

un 18 12:53:05.780 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at Y.Y.Y.Y
Jun 18 12:53:13.140 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 18 12:53:16.784 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 18 12:53:16.784 UTC: Delete IPsec SA by DPD, local X.X.X.X remote Y.Y.Y.Y peer port 500
Jun 18 12:53:16.784 UTC: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= xxxxxxxx, sa_proto= 50,
sa_spi= 0x8DA98057(2376695895),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3085
sa_lifetime(k/sec)= (4396033/3600),
(identity) local= xxxxxx, remote= yyyyyyy,
local_proxy= xxxxxxx/255.240.0.0/0/0 (type=4),
remote_proxy= xxxxxxxx/255.255.224.0/0/0 (type=4)
Jun 18 12:53:16.784 UTC: IPSEC(update_current_outbound_sa): updated peer xxxxxxx current outbound sa to SPI 0

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎06-18-2021 11:06 AM

if you see the config is good and was worked before. if other side checkpoint R80.X we have seen some issue around checkpoing with Cisco.

 

Re-creating by delteing tunnel on checkpoint side and creating again was fixed. (since you confirmed it was working one)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

roger.karam1
Level 1
Level 1
In response to balaji.bandi

‎06-18-2021 12:03 PM

Thanks for the reply! We tried deleting the tunnel several times and reconfiguring, with no results.

 

The behavior is that the phase 1 and phase 2 are up, but phase 2 keeps deleting every minute and restarting...

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to roger.karam1

‎06-18-2021 03:55 PM - edited ‎06-18-2021 03:56 PM

Ask checkpoint to run the debug, what is the code of Checkpoint?

 

Note : checkpoint side not show debug on GUI you need to run at command level ( shell)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

roger.karam1
Level 1
Level 1

‎06-19-2021 04:45 AM

Good morning! On the Check Point side, checking the IKE logs, all we see is an incoming Delete, no reason given. Screen show below. It goes through a bunch of DPD packets and then a delete.

 

Going through this again, we are thinking it is a version issue. The router is on code 15.0 which is very outdated.

 

Preview file
66 KB
0 Helpful

vldimitrov85
Level 1
Level 1

‎06-21-2021 03:32 PM

Did you try disabling the lifetime on the Router for kilobytes?

I think that this kilobytes lifetime for Phase 2 is living only in the Cisco's world.

no crypto ipsec security-association lifetime kilobytes

0 Helpful

Sheraz.Salim
VIP
VIP

‎06-22-2021 02:51 AM

check if both side are matching the PSF group values? seem to be mostly likely the issue is the PSF group.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents