Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2

To: Peter Lukas <[email protected]>, [email protected]
Subject: RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
From: Chilton Tim <[email protected]>
Date: Mon, 27 Nov 2000 09:51:05 -0000
Sender: [email protected]

Hmm,

I'm also having problems with these cards on NT4, SP6a.
I have 10 cards in total and of the 3 I'm using so far, two have failed
(both ends of a VPN - which took a while to diagnose ... :-< )

I too see the same _reset errors in the event logs plus a slew of other
errors including 

	Resource reporting problem E0000211
	_reset: elapsed =546 msec
	_do_smachine : Device error
	_tx: Token window lost sync

then after a while
	_do_smachine : too many errors, disabling device

The thing to do is to turn the accellerator card off with "fw accel off"
then run a "lunadiag" - mine all fail on test 3 (ie the first card related
test)  with an access violation error on NT

Replacing the cards or turning off the driver restores comms between the
firewalls - so it's fairly easy to diagnose - once you've been burned once.

I'm currently getting replacement cards from Chrysalis via Checkpoint -
since they supplied them - I'm taking bets on the timeframe side of things
if anyones interested ;-]

Hope this helps

Cheers

Tim

-----Original Message-----
From: Peter Lukas [mailto:[email protected]]
Sent: 13 November 2000 16:33
To: [email protected]
Subject: [W1] Chrysalis-ITS and CheckPoint 2000 SP2



Greetings,

Does the Luna VPN adapter (VPN-1 Accelerator) function reliably on a
Solaris 2.7 CPfw1-41 SP2?  I've been able to get them "almost" functional
under SP1 and SP2, but have observed some strange behavior.  For example,
the card will attempt to initalize and dump errors, but the firewall
logger reports a dropped packet to/from an IANA reserved address to a
random Internet address. 

I initially suspected the adapter to have been malfunctioning, but an able
to duplicate the problem on other systems/adapters.  Has anyone else
observed this?  Is anyone else running 2000 SP2 with the VPN-1
Accelerator on Solaris?  VPN works fine with the adapter disabled, by the
way...

For those interested, a more technical review of the problem, as well as
some troubleshooting and logging information appears below.

Regards,

Peter Lukas

- Technical Review -
Hardware:
* Sun Netra t1125 (UltraSPARC-IIi 440, 256MB, 2x18.1GB LVD, Sun QFE)
* Luuna VPN-1 Card (Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2)

Software:
* Solaris 2.7 (5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-60)
* CheckPoint 2000 Service Pack 2 (Version 4.1 Build 41716) 
* VPN-1 Accelerator Card Add-On ((sun4u) 3.10)
* StoneBeat High Availability (3.1.5)

Problem:
The adapter fails to initialize and reports errors to the system
logger.  The lunadiag utility fails to properly diagnose the adapter
resulting in a core dump.

Troubleshooting:
I have an identical system with identical software and the VPN-1
encryption adapter works with no problems.  I have swapped the suspect
VPN-1 adapter with another (working) adapter and the `lunadiag` reported
the adapter to function correctly (passed all tests).  After the system
the adapter to function correctly (passed all tests).  After the system
was rebooted, however, the VPN adapter no longer worked and exhibited the
same behavior as the initial malfunctioning card.  The adapters exhibited
the same behavior before Service Pack 2 was applied to the system as
well.  

What's even more strange is that when the encryption fails, the adapter  
initiates a connection to two addresses that are in no way associated with
this firewall, let alone this organization.  In the log provided, you can
see the firewall daemon dropping the authentication header with a source
of 231.107.233.149 (University of Southern California) and a destination
of 69.0.0.40 (IANA -Reserved).  Neither address should appear on this
device.  The addresses will change from time to time, too.  In any case,
this does not appear normal.  I've snooped the interfaces during this
failure and observed that the traffic does not appear on the interfaces,
however.

fw log:
 8:29:08 drop   <my-fw>    >daemon proto ah src 231.107.233.149 dst
69.0.0.40 rule 0 decryption failure: VPN-1 Accelerator Card reports error
scheme: IKE
# Neither address above is associated with this firewall/network.

/var/adm/messages:
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: token window lost sync
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: dualport: hwwl/hwrl =
4000000/0000, twwl/twrl = 0000/0000
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: driver:   hwwl/hwrl =
4000000/0000, twwl/twrl = 0000/0000
Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _do_smachine: device error
Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages Begin -----
Nov 10 12:14:44 <my-fw> unix: Firmware revision 1.43.1.5.1.24. Luna(TM)VPN
1.29.2 
Nov 10 12:14:44 <my-fw>
File:D:\Projects\firmware\LunaPCI-IF2\source\luna2\main_mod\main.c
Nov 10 12:14:44 <my-fw> Date:Sep 28 1999
Nov 10 12:14:44 <my-fw> Time14:24:33
Nov 10 12:14:44 <my-fw> Performing initialization...
Nov 10 12:14:44 <my-fw> Zeroized token
Nov 10 12:14:44 <my-fw> Set TPV to 4003004A
Nov 10 12:14:44 <my-fw> Save label LunaVPN BETA Token             
Nov 10 12:14:44 <my-fw> Performed special init token: 0.
Nov 10 12:14:44 <my-fw> Initialization Complete.
Nov 10 12:14:44 <my-fw> input queue offset=0x4000000 too big
Nov 10 12:14:44 <my-fw> CL_FatalError(0x300203)
Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages End   -----
Nov 10 12:14:44 <my-fw> unix: luna0: _reset: elapsed = 640 msec

# fw accel stat -l:
FW-1: VPN-1 Accelerator Card started
  Number of initialization errors: 0
  Number of processing errors: 10
  Number of ESP valid contexts: 1
  Number of AH valid contexts: 0
  Number of packets queued to the card: 0
  High water mark of number of packets in queue: 1





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.

http://www.capco.com
***********************************************************************



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
  - From: Peter Lukas <[email protected]>

Prev by Date: RE: [FW1] OT - MAC to manufacturer table
Next by Date: RE: [FW1] Too many host detected
Previous by thread: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
Next by thread: RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
Index(es):
- Date
- Thread