2

I am not able to get a S2S connection between my Central office (Checkpoint R65) to my remote office (Cisco ASA 5505). Currently in testing phase, the Cisco box is also at my office, but connected to my DSL.

I have created the tunnel, but it keeps telling me on the Cisco box "Missing header, SA overload". Can anyone help?

This is what I used as reference:

http://netl33ts.blogspot.com/2009/02/checkpoint-to-cisco-asa-vpn-example.html

Thanks, A D

Kevin Kuphal
  • 9,064
  • 1
  • 34
  • 41
uhsa
  • 21
  • 1
  • 2
  • Are you getting any other errors in your syslog from the ASA? – GregD Jul 24 '09 at 16:32
  • Can you post a sanitized config output from your ASA? – GregD Jul 24 '09 at 16:55
  • Where are you seeing the "missing header, SA overload" message, I think there must be more text to go with it? Also, are you using ADSM to do the configuration or the command line? If you're not familiar with Cisco ASA/PIX systems, I'd recommend starting again with ADSM and letting it walk you through the VPN configuration. – Ewan Leith Oct 29 '09 at 15:37

3 Answers3

2

On the ASA, run "debug cry ipsec" and "debug cry isakmp" You might want to setup your console to log to a txt file, or setup syslog. It's easier to grep for info then.

Next on the Checkpoint look at Tracker for errors, you can get a copy of IKEView (ask your Checkpoint partner, or if you have access to the site, you can download it) The tool is a bit complicated, but is one of the ways to debug a Checkpoint VPN problem.

Is your Checkpoint in a cluster? Nokia's VRRP has problems with the phase one IP, so try breaking your cluster, and running solo (if you can at night for example).

BTW, I could not find any error called "Missing header, SA overload." Can you send the error code number, or paste the entire line?

kruczkowski
  • 213
  • 2
  • 5
1

Could you provide more information ? (like settings used on both side) Is this error coming during phase 1 or phase 2 ? I would recommend to turn on debugging on the ASA to get more information regarding the error.

radius
  • 9,545
  • 23
  • 45
  • -1 for not really being an answer. This is what comments are for. – GregD Jul 24 '09 at 17:45
  • I am using 3DES both for IKE and IPSEC encryption, SHA for authorization. The only logs I am seeing on the Cisco box are when I am trying to ping from the central office (via Checkpoint) to the remote network (via Cisco). The error says "Missing header, SA overload." Let me know what is needed and I will try to copy & paste that here. Regards, A D – uhsa Jul 24 '09 at 20:31
  • 1
    @GregD That you're point of view. My point of view is that adding my question as an answer allow response to my question to be posted as comment of my question instead of comment on the original question. And I found this clearer (at least when there is more than 1 answer). Asking many question as comment on the original question make answer to be scrambled and I found hard to follow the scambled thread of question/answer. – radius Jul 24 '09 at 21:24
  • @uhsa please take a look to http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#pix_dbgs Try to run your ping and give us output of show crypto isakmp sa (the important part is the state). You may also run debug crypto isakmp and debug crypto ipsec. You could post the output on pastebin.com . This will allow to know at which state it fails. Also do you have anything like %ASA-... before the message ? What is the ASA OS version ? – radius Jul 24 '09 at 21:32
0

add command crypto map mymap 30 set nat-t-disable