cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6999
Views
0
Helpful
7
Replies

Urgent help needed: Cisco ASA vs Checkpoint

MariusAndersson
Level 1
Level 1

Hi, hope someone can point me in the correct direction...

I have an urgent business case where we need to establish vpn lan-to-lan between two locations.

From my point of view, everything is set up correct on the ASA that im admin for - it also seems so at remote locations Checkpoint (from what i have seen of config screenshots that i got).

Both Phase1 and Phase2 is active, and i can see packets TX and RX through the IPSec session on the ASA. I can also see packets coming in through the FW behind the ASA when test are done from remote location. I also see packets going out, but the no response on any kinds of tests done from either locations.... to me it looks like a fw, or routing problem on the other side.

Problem is; remote locations claims to not receive any packets at all!!! They see outgoing packets, but not any incoming.

Have anyone seen anything like that before? How can it be possible? Im seeing tons of packets going in the ipsec tunnel, and i cant believe they are just dissappearing.

Should i maybe do some changes?

It there anything i can do to proove that the problem is not in my end?

7 Replies 7

ilwadhi.r
Level 1
Level 1

In this case i suspect that esp packets might be getting blocked on remote end collect esp packets on outside interface of your firewall and indicate to them traffic from your side is getting sent also ask them to collect packet captures on the outside interface.

Apart from this, you may try enable nat traversal on both sides this can help in case there are natting devices in between

HTH

Rahul

Hi Marius,

yes, this does occur and is not a rare instance.

I would suggest that the remote end make sure to allow ESP, AH on their firewall. Normally the checkpoint is used as FW and also the VPN end point so they might have blocked the above protocols on the FW. Ask them to check the rules on the FW

HTH

Kishore

From what you're saying above:

"I can also see packets coming in through the FW behind the ASA when test are done from remote location."

Are you also returning traffics on the ASA (i.e.  do you see ESP outbound traffics from the ASA back to the Checkpoint)"

"I also see packets going out, but the no response on any kinds of tests done from either locations"

Do you see outbound ESP traffics from your side and the Checkpoint admin, through tcpdump, sees ESP traffics on the Checkpoint box?

If you're confident that the issue is on the Checkpoint side, here is how you can prove it:

- run a capture on your ASA, capture only ESP traffics,

- checkpoint admin run tcpdump on the firewall, capture traffics between your VPN peer and the Checkpoint VPN peer "tcpdump -nnni ethx host Chekpoint_VPN_peer and host ASA_VPN_peer"

now test from a host behind the Checkpoint firewall that is part of the interesting traffics.  Now if you can see the ESP traffics coming to the ASA and also leaving the ASA, it means that your side is ok.  On the checkpoint side, on the tcpdump, if he can see incoming ESP traffics from the ASA.  If he does, then the next step is to run tcpdump on the Checkpoint internal interface to see if the traffics got decrypted and send to the destination.  His Checkpoint may not have the proper route.  

talisman1310
Level 1
Level 1

I came across this issue sometime ago.

For us we had a cisco7206 router and the other end was a checkpoint running in active/active mode. The return traffic from the cisco was going to the secondary checpoint firewall and hence the remote end might not see the traffic in. Cisco will not accept 2 VPN tunnels between same 2 end points with similar configuration but checkpoint does in active/active mode.

Thanks for all input guys!

We are still having the same situation. Here is a tcpdump on my site; this is as far out as i can get (no more equipment after this except a switch):

11:00:19.738872 local_peer.isakmp > remote_peer.isakmp: isakmp: phase 1 R ident

11:00:19.773342 remote_peer.isakmp > local_peer.isakmp: isakmp: phase 1 I ident[E]

11:00:19.773776 local_peer.isakmp > remote_peer.isakmp: isakmp: phase 1 R ident[E]

11:00:19.798487 remote_peer.isakmp > local_peer.isakmp: isakmp: phase 2/others I oakley-quick[E] 11:00:19.800220 local_peer.isakmp > remote_peer.isakmp: isakmp: phase 2/others R oakley-quick[E]

11:00:19.825368 remote_peer.isakmp > local_peer.isakmp: isakmp: phase 2/others I oakley-quick[E]

11:00:19.926146 remote_peer.isakmp > local_peer.isakmp: isakmp: phase 2/others I oakley-quick[E] 11:00:20.027090 remote_peer.isakmp > local_peer.isakmp: isakmp: phase 2/others I oakley-quick[E]

11:00:20.124376 remote_peer > local_peer: ESP(spi=0x8fd7d4a7,seq=0x1)

11:00:20.129385 local_peer > remote_peer: ESP(spi=0xee2a7988,seq=0x1)

11:00:20.626075 remote_peer > local_peer: ESP(spi=0x8fd7d4a7,seq=0x2)

11:00:20.629073 local_peer > remote_peer: ESP(spi=0xee2a7988,seq=0x2)

11:00:21.625663 remote_peer > local_peer: ESP(spi=0x8fd7d4a7,seq=0x3)

11:00:21.628583 local_peer > remote_peer: ESP(spi=0xee2a7988,seq=0x3)

11:00:22.625209 remote_peer > local_peer: ESP(spi=0x8fd7d4a7,seq=0x4)

11:00:22.628698 local_peer > remote_peer: ESP(spi=0xee2a7988,seq=0x4)

11:00:23.625463 remote_peer > local_peer: ESP(spi=0x8fd7d4a7,seq=0x5)

11:00:23.628369 local_peer > remote_peer: ESP(spi=0xee2a7988,seq=0x5)

I`ll ask about the Checkpoint, and if its a cluster with Active/Active

"For us we had a cisco7206 router and the other end was a checkpoint  running in active/active mode. The return traffic from the cisco was  going to the secondary checpoint firewall and hence the remote end might  not see the traffic in. Cisco will not accept 2 VPN tunnels between  same 2 end points with similar configuration but checkpoint does in  active/active mode."

You need to understand how checkpoint work in Active/Active mode.  I have VPN running between Cisco IOS and checkpoint running in Active/Active mode for the past five years without any issues.

From what I am seeing in your output, look like both phase I and phase II are working fine between Checkpoint and Cisco as evidence by your tcpdump.  In other words, the VPN portion are fine.  Furthermore, the routing configuration on your side is also correct becasuse we can see traffics get encrypted and descrypted so the issue is on the Checkpoint side.

The VPN portion on the checkpoint side is also correct because ESP is going back and forth.

At this point, look like the problem is with routing on the Checkpoint side. As I've suggested before, have the checkpoint person run tcpdump on the internal side of the checkpoint firewall, after the traffics are decrypted, and see if the traffics from your network get back there and then he can start from there. 

There is also this problem of enterprises using load balancers etc which causes some issues with traffic routing.

You might want to check with the remote end about this as well.