[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Cisco->FW1 VPN timeout problem
Hi John, Check out the SPI range settings on the FW-1. The SPI is the unique identifier for each SA. Cisco uses decimal SPI values in range of 256 to 4,294,967,295. I believe that FW-1 SPI entries are in hex - so make sure that the range is the same as the Cisco. Hope this helps. Thanks, Russell Siverland-Bishop CCIE #4533 Hi , I keep ketting these messages on my Cisco router. When these messages come up the VPN goes down for a few minutes and then automatically fixes itself. Here's the message: IPSEC (decapsulation):error is decapsulation crypto ipsec_sa_exists. crypto-4-recvd_inv_SPI: decaps: rec'd IPSEC packet has invalid SPI destaddr=x.x.x.x, prot=50,spi=0x2f0j2500 ( 535353526) The emote office Cisco router is connected to my firewall using an IPSEC VPN. It's using IKE for the keys. On the Checkpoint firewall1 encryption propeties tab it says "renegotiate IKE SA every 52 minutes" and "renegotiate IPSEC SA's every 3600 seconds. On the Cisco router if I do "sh crypto isakmp policy". I see the lifetime set for 3120 seconds ( which equates to 52 minutes). If I do a "sh crypto ipsec security-association-lifetime". I see 4608000 kilobytes/3600 seconds which also matches the checkpoint properties tab. Please help. -- John A. Gesualdi, CCNP, CCDP, MCSE 2000 [email protected] The Providence Journal Company PhonePager__________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|