Improving horrible ASA 5505 - Checkpoint and 5505 -5510 Site to Site VPN Uptime

Question

How can I improve my site to site VPN uptime coming from an ASA 5505 to both Checkpoint safe@office and ASA 5510. The uptime nbetween the 5505-Checkpoint is really bad, like <10 min on average. I haven't had a lot of luck scouring Google and this site for answers. Any ideas would be appreciated. The site to site WORKS, it just disconnects and reconnects a lot. Even general tips are appreciated. Thanks so much.

EDIT 0: This is the error I see in the debugging log:

3   Jul 25 2011 10:02:59    713902                  Group = 209.156.x.x, IP = 209.156.x.x, QM FSM error (P2 struct &0xc9f0c5a8, mess id 0x52494315)!

EDIT 1:

I was able to resolve the issue by disabling perfect forward secrecy. I don't exactly know what this is - I remember studying Diffie Hellman or whatever a while back - but I think it didn't really jive between the two firewall devices. Then I disabled keep-alives because they were not jiving as well. VPN uptime is @ 2 hrs or so and counting, we'll see...

Enable debugging and start by figuring out why it's disconnecting. — Chris S, Jul 25 '11 at 18:28
Will do. Logging @ debug level now and waiting for it to break — tacos_tacos_tacos, Jul 25 '11 at 18:31
Have you taken a look at the underlying connections supporting this tunnel to see if they're dropping? — SpacemanSpiff, Jul 25 '11 at 19:25

score 0 · Answer 1 · answered Dec 16 '11 at 18:05

0

I am using cisco ASA5510 8.4(2) and CP Safe@Office 500 8.0.42x and I am experiencing the same problem. It will connect P1, P2 and work for a few minutes then disconnect. Then reconnect in a minute or 2. I am disabling PFS per this recommendation. If anyone is still seeing this thread, please add any input. Thanks.

answered Dec 16 '11 at 18:05

Chris

1

1

What are your crypto_map entries? I found out that my problem was related to the fact that CheckPoint brings over ALL networks, including "OfficeMode" if your users connect via EndPoint Connect/SecureClient/SecuRemote. So, you may want to use Dynamic crypto map entry and then just ping it from the CheckPoint network. – tacos_tacos_tacos Dec 16 '11 at 18:48
VPN connection has been up for 4.5 hours after removing PFS. – Chris Dec 16 '11 at 23:23
I specified the subnets.. 10.0.0.0/8 for Cisco and 192.168.10.0/24 for Checkpoint. I did not select the route all traffic option. We want the end users to browse web locally, not over the VPN. Turning off Perfect Forward Secrecy seems to have done it. – Chris Dec 16 '11 at 23:27
If your checkpoint uses OfficeMode it will bring over its network regardless of whether you split tunnel or not – tacos_tacos_tacos Dec 17 '11 at 18:22

Improving horrible ASA 5505 - Checkpoint and 5505 -5510 Site to Site VPN Uptime

1 Answers1