[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Delays with IKE/ESP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been noticing a problem with some of our IKE users over the past month. A couple of them are using a broadband (ADSL) connection, with a NAT'ing router (Nokia M1122). The addresses on the inside of the ADSL router are RFC1918 based. The SR client can authenticate, and use the VPN, but there is a 3 minute delay between the authcrypt event and the next event (sometimes a pool IP address bound, sometimes a decrypt). This is a sample taken from last nights logs: Time Action Source Dest User Reason 21:17:23 Authcrypt 210.x.x.x wlx Authenticated 3DES, IKE, SHA1 21:20:41 Accept 192.168.2.x wlx Bound address 192.168.2.x to 156.x.x.x 21:20:41 Decrypt 192.168.2.x Lots of NetBios traffic for MS Exchange . . Time passes by - working OK . 22:33:34 Authcrypt 210.x.x.x wlxxxx Authenticated 3DES, IKE, SHA1 22:36:54 Decrypt 192.168.2.x Normal traffic As you can see from the above, there is about a 3 minute 20 second wait between the authcrypt and valid traffic being allowed through. It only affects the ADSL users - everyone else (FWZ and IKE - either cable modem or modem) works fine. This only seems to have been an issue since we upgraded to 4.1 SP2, although I can't rule it out as a telco issue, as they upgraded their ADSL network at around the same time. We managed to get it going fine using the older equipment. We have pinholed IP Type 50 and UDP Port 500 to the PC from the router, and even tried pinholing IP Type 51 just in case - same problem. Has anyone else experienced the same issues? Any ideas why there is a 3 minute wait? Out environment is: Firewall: Windoze NT Server 4.1 SP6 Checkpoint VPN-1 4.1 SP2 IP pool addresses (200) to internal network addresses UDP Encapsulation enabled Client: Windoze NT Workstation SP5 SecuRemote Release 4165 IP Address 192.168.2.x Router IP address 210.x.x.x from ISP -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOf1A6IAS1Tpq5ZYvEQLLuwCfdb5Mq+S7S9QUl3WptIVegJpJ/j4AoIA1 HccPn9lcjJ0aZAa9oaRxGt1L =1t6l -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|