Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Chrysalis-ITS and CheckPoint 2000 SP2

To: [email protected]
Subject: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
From: Peter Lukas <[email protected]>
Date: Mon, 13 Nov 2000 10:32:51 -0600 (CST)
Sender: [email protected]

Greetings,

Does the Luna VPN adapter (VPN-1 Accelerator) function reliably on a
Solaris 2.7 CPfw1-41 SP2?  I've been able to get them "almost" functional
under SP1 and SP2, but have observed some strange behavior.  For example,
the card will attempt to initalize and dump errors, but the firewall
logger reports a dropped packet to/from an IANA reserved address to a
random Internet address. 

I initially suspected the adapter to have been malfunctioning, but an able
to duplicate the problem on other systems/adapters.  Has anyone else
observed this?  Is anyone else running 2000 SP2 with the VPN-1
Accelerator on Solaris?  VPN works fine with the adapter disabled, by the
way...

For those interested, a more technical review of the problem, as well as
some troubleshooting and logging information appears below.

Regards,

Peter Lukas

- Technical Review -
Hardware:
* Sun Netra t1125 (UltraSPARC-IIi 440, 256MB, 2x18.1GB LVD, Sun QFE)
* Luuna VPN-1 Card (Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2)

Software:
* Solaris 2.7 (5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-60)
* CheckPoint 2000 Service Pack 2 (Version 4.1 Build 41716) 
* VPN-1 Accelerator Card Add-On ((sun4u) 3.10)
* StoneBeat High Availability (3.1.5)

Problem:
The adapter fails to initialize and reports errors to the system
logger.  The lunadiag utility fails to properly diagnose the adapter
resulting in a core dump.

Troubleshooting:
I have an identical system with identical software and the VPN-1
encryption adapter works with no problems.  I have swapped the suspect
VPN-1 adapter with another (working) adapter and the `lunadiag` reported
the adapter to function correctly (passed all tests).  After the system
the adapter to function correctly (passed all tests).  After the system
was rebooted, however, the VPN adapter no longer worked and exhibited the
same behavior as the initial malfunctioning card.  The adapters exhibited
the same behavior before Service Pack 2 was applied to the system as
well.  

What's even more strange is that when the encryption fails, the adapter  
initiates a connection to two addresses that are in no way associated with
this firewall, let alone this organization.  In the log provided, you can
see the firewall daemon dropping the authentication header with a source
of 231.107.233.149 (University of Southern California) and a destination
of 69.0.0.40 (IANA -Reserved).  Neither address should appear on this
device.  The addresses will change from time to time, too.  In any case,
this does not appear normal.  I've snooped the interfaces during this
failure and observed that the traffic does not appear on the interfaces,
however.

fw log:
 8:29:08 drop   <my-fw>    >daemon proto ah src 231.107.233.149 dst
69.0.0.40 rule 0 decryption failure: VPN-1 Accelerator Card reports error
scheme: IKE
# Neither address above is associated with this firewall/network.

/var/adm/messages:
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: token window lost sync
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: dualport: hwwl/hwrl =
4000000/0000, twwl/twrl = 0000/0000
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: driver:   hwwl/hwrl =
4000000/0000, twwl/twrl = 0000/0000
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _do_smachine: device error
Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages Begin -----
Nov 10 12:14:44 <my-fw> unix: Firmware revision 1.43.1.5.1.24. Luna(TM)VPN
1.29.2 
Nov 10 12:14:44 <my-fw>
File:D:\Projects\firmware\LunaPCI-IF2\source\luna2\main_mod\main.c
Nov 10 12:14:44 <my-fw> Date:Sep 28 1999
Nov 10 12:14:44 <my-fw> Time14:24:33
Nov 10 12:14:44 <my-fw> Performing initialization...
Nov 10 12:14:44 <my-fw> Zeroized token
Nov 10 12:14:44 <my-fw> Set TPV to 4003004A
Nov 10 12:14:44 <my-fw> Save label LunaVPN BETA Token             
Nov 10 12:14:44 <my-fw> Performed special init token: 0.
Nov 10 12:14:44 <my-fw> Initialization Complete.
Nov 10 12:14:44 <my-fw> input queue offset=0x4000000 too big
Nov 10 12:14:44 <my-fw> CL_FatalError(0x300203)
Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages End   -----
Nov 10 12:14:44 <my-fw> unix: luna0: _reset: elapsed = 640 msec

# fw accel stat -l:
FW-1: VPN-1 Accelerator Card started
  Number of initialization errors: 0
  Number of processing errors: 10
  Number of ESP valid contexts: 1
  Number of AH valid contexts: 0
  Number of packets queued to the card: 0
  High water mark of number of packets in queue: 1





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] 3+ Firewalls in State Sync?
Next by Date: [FW1] FW-1
Previous by thread: [FW1] 3+ Firewalls in State Sync?
Next by thread: RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
Index(es):
- Date
- Thread