cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
5
Replies

VPN tunnel b/w CheckPoint R62 and Cisco ASA 5510 7.2(4) breaking

calterio
Level 1
Level 1

We have a VPN tunnel b/w a CheckPoint and a Cisco ASA. The tunnel is up and working, but almost every day around noon I get the following messages and the tunnel breaks and reforms successfully. Phase 1 is set on both sides at 1440min/86400 seconds; phase 2 is set on both sides to 3600. It sounds like the tunnel is just terminating at the end of the phase 1 lifetime, but people are using the tunnel and report that their sessions break, so I'm confused. Any ideas/help would be appreciated. Thank you.

713041 IP=1.1.1.1, IKE Initiator: Rekeying Phase 1,Intf Internet, IKE Peer 1.1.1.1, local Proxy Address N/A, remote Proxy Address N/A, Crypto map N/A

713903 Group=1.1.1.1, IP=1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes

713119 Group=1.1.1.1, IP=1.1.1.1, PHASE 1 COMPLETED

713122 IP=1.1.1.1, Keep-alives configured on but peer does not support keep-alives (type=None)

713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.

713201 Group=1.1.1.1, IP=1.1.1.1, Duplicate phase 1 packet detected. No last packet to retransmit.

ASA Version 7.2(4)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Internet_map 1 match address Internet_1_cryptomap

crypto map Internet_map 1 set peer 1.1.1.1

crypto map Internet_map 1 set transform-set ESP-3DES-SHA

crypto map Internet_map 1 set security-association lifetime seconds 3600

crypto map Internet_map interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp am-disable

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key xyz

# sh crypto isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 1.1.1.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : SHA

Auth : preshared Lifetime: 86400

Lifetime Remaining: 71300

# sh crypto ipsec sa

interface: Internet

Crypto map tag: Internet_map, seq num: 1, local addr: 22.22.22.22

access-list Internet_1_cryptomap permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer: 1.1.1.1

#pkts encaps: 121046, #pkts encrypt: 121046, #pkts digest: 121046

#pkts decaps: 134396, #pkts decrypt: 134396, #pkts verify: 134396

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 121046, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 22.22.22.22, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 38003399

inbound esp sas:

spi: 0x802A637 (215026177)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4270520/2113)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x380033 (939538880)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4273260/2112)

IV size: 8 bytes

replay detection support: Y

5 Replies 5

nobleton3366
Level 1
Level 1

Were you able to find a solution? I have the same problem between windows 2003 and an ASA. I have noticed that it drops at 75% of the phase1 time. If I set it to 8hrs; it breaks at 6hrs, I set it to 4hrs; it breaks at 3hrs, I set it to 20 minutes and it breaks at 15 minutes. Like clock work.

Our problem turned out to be within the Oracle application the users were using, and not with the connection. The database administrators tweaked a timeout parameter, and that resolved the issue.

Really? So the oracle app was causing your VPN to disconnect periodically?

Users were reporting their sessions were breaking. I looked at the logs from the ASA and based on the messages (like "PHASE 1 Completed", I was assumed the tunnel was breaking and then reforming, and that's what was causing the session disconnect. Speaking further with the users, I found that some sessions did not get disconnected, but this one Oracle app always did. So I had the user send the screen shot of the error that she received when her session broke. I googled it and found a timeout issue caused by a parameter in a *.ora file. I had the DBA change the parameter to see if it resolved the user's issue, and as far as I know, it did. I don't work that closely with Cisco, so perhaps the messages I thought indicated a break in the tunnel actually were just normal messages. I just know the user is no longer complaining of session disruptions. Good luck ... I hope you find an answer to your issue.

Recently we found a problem with windows 2003 that it did not do DPD or something like that. Anyway we hacked the registery and it works fine now. I will review and post details shortly

Bill