Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

L2L Cisco to Checkpoint VPN frequent drops

Status
Not open for further replies.
captnops

captnops

IS-IT--Management
Feb 12, 2003
141
0
0
I have a 2811 that connects via T1 to a checkpoint device (not ours) via a L2L VPN tunnel.

Every day at approximately the same time, the tunnel drops and will not reconnect. If I reload the router, the tunnel reestablishes until the next day.

I do have keepalives 10 set.

All help is greatly appreciated.
 
Sort by date Sort by votes
what time of day? night time? is there a heavier load during that time? is there something going on the checkpoint side? do they reboot or take it down for maintenance? does your ISP take down the T1?
 
Upvote 0 Downvote
It usually occurs in the morning between 8-10AM EST. The load is about the same as any other time (that is to say nothing but RDP traffic to terminal server)

The admin on the checkpoint side doesn't indicate that his logs show any problems. I have requested him to send the settings for his lifetime settings to verify that they are the same but I remember during implementation that we verified that they were.

T1 does not come down and the ISP indicates no errors (framing, timing, etc) on the circuit during those outages.

One other symptom that was interesting. One of my customers indicated that they were unable to traceroute past the inside interface address during the time that the tunnel came down. However, that may be due to the static route pointing all that traffic to the tunnel.

Thanks again.
 
Upvote 0 Downvote
is the checkpoint using pfs? perfect forward secret? (i think thats what its called)?
 
Upvote 0 Downvote
I honestly do not know and the admin is OOO until monday.
 
Upvote 0 Downvote
do you have any log files from your device at the time the connection drops?
 
Upvote 0 Downvote
Unfortunately, not a great deal. I am seeing a message that Rec'd packet not an IPSEC packet, but I suspect that is due to the acl for this be any any
 
Upvote 0 Downvote
only thing i can think of is the time out is not set the same on both ends. i would verify all configurations with the owner of the checkpoint
 
Upvote 0 Downvote
Thank you. That is what I was thinking it was, but I wanted to eliminate any other possibles. I will post more once I have all the info from the checkpoint.

Interesting note: I have enabled logging on the router ported to syslog server for level debugging. The tunnel came down again (same symptoms as above), but no debugging logs were sent to the syslog server.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
118
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
101
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
117
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
103
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
135
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top