0 Replies Latest reply: Nov 15, 2018 10:56 AM by binoy RSS

    Can we have multiple DH group in same policy and does that effect Connectivity between  ASA and checkpoint


      We are seeing a strange problem  of vpn re-neotiation taking few seconds between ASA and Client side Checkpoint , below is the policy that we have  , Checkpoint side they have  DH group 19 , VPN is established however  after sometime renegotiation happens and we see it takes few seconds  , Checkpoint says that it is because we are sending many  DH group  in the same  in their debug , Is this causing the issue   ?       if yes can we re-sequence  this  by creating another policy eg crypto ikev2 policy 10 with same parameters and delete the policy 1 and create another policy 1 with DH group 19 .


      ASA Policy


      crypto ikev2 policy 1

      encryption aes-256 aes-192 aes

      integrity sha512 sha384 sha256 sha

      group 21 20 19 24 14 5 2 1

      prf sha512 sha384 sha256 sha

      lifetime seconds 86400