I saw something similar, site to site VPN R55 to NGX, same manager, policy push to NGX would cause the VPN fail for about 5-10 minutes, all the logs showed encrypts and decrypts as they should. When they were both r55 to r55 no problems at policy push were ever seen. I switched the link selection on the r55 box from probing to always use main IP, which is also what is selected on the newly upgraded NGX box and my problem at policy push went away.
-GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Monday, September 11, 2006 10:56 AM To: [email protected] Subject: [FW-1] VPN interoperability between NGx R60/R61 and Cisco IOS/Pix devices I have a checkpoint NGx R60 running HFA_04 on a Nokia IPSO 4.1 running vrrp. This box is doing IPSec with two other cisco IOS routers (IOS version 12.3T), called Router_A and Router_B. The Nokia platform is an IP710 I have a continous ping between a host behind this checkpoint device (host_CP), to hosts behind Router_A (host_A) and Router_B (host_B). The ping is going across the VPN tunnels. I also have hosts behind Router_A and Router_B doing continous ping to the host behind the Checkpoint firewall. Ping is working fine between hosts. Everytime I push the policy on the Checkpoint firewall, the ping from host_CP to host_A and host_B continues to work fine. However, the continous ping from host_A to host_CP timeout for about 20 minutes and then it starts working again. Same issue with host_B ping host_CP. I upgrade the firewall to R61. Same issue. What the F! is checkpoint doing this time to break VPN? cisco4ng --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1ยข/min. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
