04-19-2011 03:35 PM
Hi
We have a site to site vpn between our ASA an a Checkpoint Phase 1 and phase 2 are completed.
traffic from asa internal network reaches the network behind the Checkpoint but nathing return.
How can i see the traffic inside the vpn from the cisco side?
I did debug crypto isakmp and debug crypto ipsec and it shows me that the tunnel goes up.
Thanks in advance.
Thanks
04-19-2011 03:39 PM
To check that the tunnel is up for both Phase 1 and Phase 2:
Phase 1: show cry isa sa
If you are seeing MM_ACTIVE, that means Phase 1 is active
Phase 2: show cry ipsec sa
You will need to check the encrypts and decrypts packet and see if it's incrementing, and has more or less the same numbers
If you are saying that the packet is getting sent to Check Point from ASA internal LAN, on the "show cry ipsec sa" counters you will see packet encrypts number incrementing, however, decrypts might be just 0.
If this is the case, you might want to check with Check Point on why traffic does not return.
Hope this helps.
04-19-2011 06:11 PM
please post the "interesting traffics" ACL here.
One of the things to remember is that Checkpoint will do the supernet. For example, let say if there are two networks behind checkpoint firewall such as 192.168.0.0/24 and 192.168.1.0/24, what checkpoint will do is combine it into 192.168.0.0/23 and it will break the VPN. One way to see this is to run "vpn debug ikeon" and look at the ike.elg file with IKEView.exe file and you will see it.
How did Checkpoint setup the VPN? Traditional mode or Simplified Mode. Are there any NAT involved? If not, did the checkpoint person "disabled NAT inside VPN community"?
You're posting a question here without a lot of information to go on
04-20-2011 01:29 AM
Hy all
This is the conf of ASA5520:
name 172.20.20.20 Local-host-int
object network local-host-nat-outside host 10.20.10.65
object network Local-lan subnet 10.20.10.0 255.255.255.0
object network Remote-lan subnet 10.20.20.0 255.255.255.192
access-list outside_cryptomap_22 extended permit ip object Local-lan object Remote-lan
nat (NET-INTERNE,outside) source static Local-host-int local-host-nat-outside destination static Remote-lan Remote-lan
crypto map outside_map 19 match address outside_cryptomap_22
crypto map outside_map 19 set peer 192.168.91.1
crypto map outside_map 19 set transform-set ESP-AES-128-SHA
crypto map outside_map 19 set security-association lifetime seconds 3600
crypto isakmp identity address
crypto isakmp enable outside
group-policy VPN-192.168.91.1 internal
group-policy VPN-192.168.91.1 attributes
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group 192.168.91.1 type ipsec-l2l
tunnel-group 192.168.91.1 general-attributes
default-group-policy VPN-192.168.91.1
tunnel-group 192.168.91.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
output of command
show cry isa sa
2 IKE Peer: 192.168.91.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
#pkts encaps: 575, #pkts encrypt: 575, #pkts digest: 575
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 575, #pkts comp failed: 0, #pkts decomp failed: 0
a moment ago
#pkts encaps: 591, #pkts encrypt: 591, #pkts digest: 591
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 591, #pkts comp failed: 0, #pkts decomp failed: 0
So encrypted paquet increase, but decrypted packages are always 0
I also found this
[IKEv1]: Group = 192.168.91.1, IP = 192.168.91.1, Duplicate Phase 1 packet detected. No last packet to retransmit
Thanks again
Thanks
04-20-2011 01:57 AM
Hi
Looking at this, I don't believe the issue is on the ASA. As you say, your transmit counters are increasing which shows that the ASA is happy that the IPSEC tunnel is up at phase 1 and phase 2.
You need to start looking at the Checkpoint Log Viewer - Smart Dashboard contains a number of tools which will assist in troubleshooting from the Checkpoint side. There could be a number of things including:
1. Anti Spoofing.
2. IP Routing on the Checkpoint (configuration of routes is different depending on whether it is a Nokia IPSO platform, or a UTM-1 device).
You will need to log the VPN rule on the checkpoint and run a Smartview Monitor session to see what is being logged by the Checkpoint. Normally the error messages are reasonably clear in the Checkpoint logs.
Barry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide