I was having to troubleshoot a VPN between a Check Point and an ASA the other day. I came up with this message in the ASA logs:
%ASA-7-713222: Group = 5.8.15.51, IP = 5.8.15.51, Static Crypto Map check, map = BHM, seq = 30, ACL does not match proxy IDs src:5.8.15.51 dst:192.168.2.10
%ASA-7-713221: Group = 5.8.15.51, IP = 5.8.15.51, Static Crypto Map check, checking map = BHM, seq = 40...
It appears that the Check Point is trying to use the public address instead of the non-NAT'ed address. My point here is that the ASA logs are very important for troubleshooting issues. Maybe you can look at the config and just find the solution. Maybe you need the logs. Either way, setting the appropriate log levels in troubleshooting is important. It helped me determine that the ASA was fine and that the Check Point needed some work.
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.