Hi Everyone,
I have a pair of Nokia IP650 running IPSO 3.7.1 build 020 with
Checkpoint NG Feature Pack 3 & HFA 325. The Nokia is running
in Active/Standby mode configuration using legacy vrrp configuration.
Between the Nokias, I use a dedicate interface just for stateful
synchronization. The Active Nokia has a priority of 100 and the
standby has a priority of 95 with the delta to be 10.
I have a site-to-site vpn tunnel between this pair of Nokia and
a pair of cisco 7206 router running IOS version 12.3T. I configure
the cisco device to use IPSec stateful via Inter-Process Communication
(IPC), available in version 12.3T code.
The timeout on both phase I and II between the nokia and Cisco 7206
router is identical with phase I to be 1440 minutes and phase II to
be 3600 seconds
The vpn is working fine; however, whenever I increase the priority
of the standby Nokia to be 105 and make it master, the vpn tunnel
goes down. It stays that way for almost 20 minutes and then the tunnel
come back up again.
When I increase the priority of the standby nokia to 105, I notice the
following message on the Cisco device:
VXR7206-TEST#
*Dec 28 21:11:32.933: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec"d IPSEC
packet has invalid spi for
destaddr=164.109.1.4, prot=50, spi=0xF9542EFE(4183043838), srcaddr=164.1
what it means is that the cisco device is seeing a different spi
packet from the Nokia and it is invalid so it drops the esp packet.
Furthermore, I also see the nokia sending out isamkp packet thus
renegotiating the ipsec tunnel and cisco doesn't like it.
Is there a work around for this? has anyone run into this problem before?
I currently opened a TAC case with Nokia but I don't think it will go
anywhere with Nokia since their tac is also clueless about it just like
I am. The idiot from Nokia told me to use resolution 4772 but when
I look at resolution 4772 it applies only to checkpoint 4.1. The problem
with Nokia TAC is that they don't know enough about cisco technology to
help me.
By the way, I did notice that I don't have this problem running on SPLAT
and clusterXL adn Cisco devices with IPsec failover but then again, I am
using R55w. Using NG AI R55w is NOT an option in my production environment
because our provider-1 is still NG Feature Pack 3.
Comments anyone?
TIA
---------------------------------
Yahoo! Shopping
Find Great Deals on Holiday Gifts at Yahoo! Shopping
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
