Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN

Subject:	Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 26 May 2006 07:20:44 -0700

Are you talking about Pix or Concentrator?  You can also enable isakmp keepalive
  on the concentrator via either the CLI or GUI.
   
  They key is to make sure that the concentrator firmware is up-to-date.  It 
will 
  resolved your issues.  I am running R55w on my nokia and it works with
  the CPN concentrator perfectly.  but i am running the latest code on the 
concentrator.
   
  cisco4ng

Chontzopoulos Dimitris <dchontzo AT ABC DOT GR> wrote:
  Well, the client who is using the PIX has "ISAKMP Keepalive" enabled but I 
don't know whether or not their running the latest
firmware.

The thing is that the client is able to bring the VPN up-and-running by pinging 
one my hosts, but, this is not the case for me. It
seems as if the VPN Concentrator realizes whether or not the in-between link 
has gone down so as to request for a key re-negotiation
when the link comes up-and-running again, as opposed to my Check Point Firewall 
that when the link comes back on again, it tries to
use the same keys as before and the VPN fails... This is the crazy thing about 
it...

_____ 

From: cisco4ng [mailto:cisco4ng AT yahoo DOT com] 
Sent: Friday, May 26, 2006 2:11 PM
To: Mailing list for discussion of Firewall-1
Cc: dchontzo AT ABC DOT GR
Subject: Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN


1) make sure you run the latest code on the VPN concentrator.

2) make sure you enable "iskamp keepalive on the concentrator"

yes, I've seen this issue many times. It calls VPN interaoperability issue 
between
vendors.

Chontzopoulos Dimitris wrote:

Hey Gurus,

I've been having one extremely strange problem with a Site-to-Site VPN.

The VPN is being established via a Leased-Line (not over the Internet) between 
our Firewall (Check Point Firewall-1/VPN-1 R55W AI)
and a CiSCO VPN Concentrator 3000 on the Client Side. What happens is that if 
the line between us goes down for a reason, our side
fails to identify that, so, it keeps encrypting the data without re-negotiating 
for new keys. The only way for the VPN to be
re-established is to manually clear my keys through "vpn tu" and then send then 
some traffic. After that, the VPN goes up again.

Now, I've never seen this happen before and I've got no problems at all with 
the rest of my remaining 40+ Site-to-Site VPN's with
other Clients through the Internet. This issue only happens with them. I also 
have 2 additional VPN's with other CiSCO VPN
Concentrator(s) 3000 without any problems.

Has anyone seen this before? Is there something I can do?

Cheers,


Dimitris

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================




_____ 

Ring'em or ping'em. Make PC-to-phone
calls as low as 1¢/min
with Yahoo! Messenger with Voice.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


                
---------------------------------
Do you Yahoo!?
 Get on board. You're invited to try the new Yahoo! Mail Beta.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, cisco4ng Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, cisco4ng <= Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris

Previous by Date:	[FW-1] Urgent help: Changing SmartDashboard from using tcp port 18190 to something else, cisco4ng
Next by Date:	Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris
Previous by Thread:	Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris
Next by Thread:	Re: [FW-1] [FW1] Strange problem with Site-to-Site VPN, Chontzopoulos Dimitris
Indexes:	[Date] [Thread] [Top] [All Lists]