[FW-1] IKE timing out?

[Rob Spurlock <rspurlock@FW1-NOSPAMNSCI.NET>]

Hi everyone.  I’ve inherited a FW-1 network to manage and I’ve run into a problem.  We’re using CP FW-1 NG at our main site and we have 2 remote sites that connect over DSL via IKE VPN (on the router).  When the connection first comes up, everything works fine, mostly.  But it seems like the tunnel is timing out if there is no activity.  I would assume this would be by design, but it won’t come back up until the router is reset.  I’ve seen errors on the router (a Netopia 4541) like this:

 

IPsec: rx: vpn host rejected

 

And I’ve seen errors like this on the firewall log:

 

Encryption failure: Packet is dropped as there is no valid SA.

 

I’m also checking with Netopia to see if it might be a problem with their hardware.  Anyone experience anything like this or have any idea?  I have both remote sites using the exact same router with the exact same Firmware version and the exact same settings.

 

Thanks in advance.

 

Rob Spurlock

Network Engineer

NetStar Communications, Inc

rspurlock@nsci.net

 

================================================= To set vacation, Out Of Office, or away messages, send an email to LISTSERV@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-owner@ts.checkpoint.com =================================================