[vpn] Cisco 3000/Checkpoint FW-1 renegotiation

Sean McCreanor Sean.McCreanor at didata.com.au
Wed Mar 13 18:43:09 EST 2002 

Peter,
I have had this problem but in the exact reverse, i.e. when the tunnel 
is disrupted at the Cisco end, the Firewall-1 gateway will not accept 
new IPSec SA requests until the existing SA's in the firewall kernel 
expired. (from memory this was a 4.1 firewall with SP 3).

I had to manually flush the tables from the firewall kernel before the 
tunnel would re-establish with these commands:

fw tab -t IKE_SA_table -x
fw tab -t ISAKMP_ESP_table -x
fw tab -t inbound_SPI ?x

I am unsure if this issue has been fixed in a later 4.1 SP or in NG.
It may not fix your problem, but I hope it may be of some insight.
Regards, Sean.


Peter Walker wrote:
 > Folks
 >
 > We are having problems with a VPN connection we have to one of our
 > remote sites between a Cisco VPN 3000 concentrator (local) and a
 > checkpoint FW-1 (remote). The problem is that whenever there is an
 > outage at the remote (checkpoint end) the IPSEC tunnel will not
 > renogotiate until we manually reset/disconnect the VPN session at the
 > concentrator end.  This is really causing a problem as the cisco end is
 > here in the US and the checkpoint end is in Europe. So whenever there is
 > a problem at the european end, our european site is basically offline
 > until they can call one of us here in the US (at home, in the middle of
 > the night) and have us reset the tunnel.
 >
 > Does anyone have any experience of this problem and how to fix it?
 >
 > Peter
 >
 > VPN is sponsored by SecurityFocus.com
 >


-- 
Sean McCreanor
Security Engineer
Dimension Data Australia
121-127 Harrington Street
Sydney Australia 2000
Phone +61 2 8249 5086
Mobile +61 418 485 312



******************************************************************************
- NOTICE -
This message is confidential, and may contain proprietary or legally privileged information.  If you have received this email in error, please notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments.

Dimension Data Australia Pty Limited was formerly known as Com Tech Communications Pty Ltd
******************************************************************************


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list