[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
Hmm, I'm also having problems with these cards on NT4, SP6a. I have 10 cards in total and of the 3 I'm using so far, two have failed (both ends of a VPN - which took a while to diagnose ... :-< ) I too see the same _reset errors in the event logs plus a slew of other errors including Resource reporting problem E0000211 _reset: elapsed =546 msec _do_smachine : Device error _tx: Token window lost sync then after a while _do_smachine : too many errors, disabling device The thing to do is to turn the accellerator card off with "fw accel off" then run a "lunadiag" - mine all fail on test 3 (ie the first card related test) with an access violation error on NT Replacing the cards or turning off the driver restores comms between the firewalls - so it's fairly easy to diagnose - once you've been burned once. I'm currently getting replacement cards from Chrysalis via Checkpoint - since they supplied them - I'm taking bets on the timeframe side of things if anyones interested ;-] Hope this helps Cheers Tim -----Original Message----- From: Peter Lukas [mailto:[email protected]] Sent: 13 November 2000 16:33 To: [email protected] Subject: [W1] Chrysalis-ITS and CheckPoint 2000 SP2 Greetings, Does the Luna VPN adapter (VPN-1 Accelerator) function reliably on a Solaris 2.7 CPfw1-41 SP2? I've been able to get them "almost" functional under SP1 and SP2, but have observed some strange behavior. For example, the card will attempt to initalize and dump errors, but the firewall logger reports a dropped packet to/from an IANA reserved address to a random Internet address. I initially suspected the adapter to have been malfunctioning, but an able to duplicate the problem on other systems/adapters. Has anyone else observed this? Is anyone else running 2000 SP2 with the VPN-1 Accelerator on Solaris? VPN works fine with the adapter disabled, by the way... For those interested, a more technical review of the problem, as well as some troubleshooting and logging information appears below. Regards, Peter Lukas - Technical Review - Hardware: * Sun Netra t1125 (UltraSPARC-IIi 440, 256MB, 2x18.1GB LVD, Sun QFE) * Luuna VPN-1 Card (Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2) Software: * Solaris 2.7 (5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-60) * CheckPoint 2000 Service Pack 2 (Version 4.1 Build 41716) * VPN-1 Accelerator Card Add-On ((sun4u) 3.10) * StoneBeat High Availability (3.1.5) Problem: The adapter fails to initialize and reports errors to the system logger. The lunadiag utility fails to properly diagnose the adapter resulting in a core dump. Troubleshooting: I have an identical system with identical software and the VPN-1 encryption adapter works with no problems. I have swapped the suspect VPN-1 adapter with another (working) adapter and the `lunadiag` reported the adapter to function correctly (passed all tests). After the system the adapter to function correctly (passed all tests). After the system was rebooted, however, the VPN adapter no longer worked and exhibited the same behavior as the initial malfunctioning card. The adapters exhibited the same behavior before Service Pack 2 was applied to the system as well. What's even more strange is that when the encryption fails, the adapter initiates a connection to two addresses that are in no way associated with this firewall, let alone this organization. In the log provided, you can see the firewall daemon dropping the authentication header with a source of 231.107.233.149 (University of Southern California) and a destination of 69.0.0.40 (IANA -Reserved). Neither address should appear on this device. The addresses will change from time to time, too. In any case, this does not appear normal. I've snooped the interfaces during this failure and observed that the traffic does not appear on the interfaces, however. fw log: 8:29:08 drop <my-fw> >daemon proto ah src 231.107.233.149 dst 69.0.0.40 rule 0 decryption failure: VPN-1 Accelerator Card reports error scheme: IKE # Neither address above is associated with this firewall/network. /var/adm/messages: Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: token window lost sync Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: dualport: hwwl/hwrl = 4000000/0000, twwl/twrl = 0000/0000 Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: driver: hwwl/hwrl = 4000000/0000, twwl/twrl = 0000/0000 Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _do_smachine: device error Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages Begin ----- Nov 10 12:14:44 <my-fw> unix: Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2 Nov 10 12:14:44 <my-fw> File:D:\Projects\firmware\LunaPCI-IF2\source\luna2\main_mod\main.c Nov 10 12:14:44 <my-fw> Date:Sep 28 1999 Nov 10 12:14:44 <my-fw> Time14:24:33 Nov 10 12:14:44 <my-fw> Performing initialization... Nov 10 12:14:44 <my-fw> Zeroized token Nov 10 12:14:44 <my-fw> Set TPV to 4003004A Nov 10 12:14:44 <my-fw> Save label LunaVPN BETA Token Nov 10 12:14:44 <my-fw> Performed special init token: 0. Nov 10 12:14:44 <my-fw> Initialization Complete. Nov 10 12:14:44 <my-fw> input queue offset=0x4000000 too big Nov 10 12:14:44 <my-fw> CL_FatalError(0x300203) Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages End ----- Nov 10 12:14:44 <my-fw> unix: luna0: _reset: elapsed = 640 msec # fw accel stat -l: FW-1: VPN-1 Accelerator Card started Number of initialization errors: 0 Number of processing errors: 10 Number of ESP valid contexts: 1 Number of AH valid contexts: 0 Number of packets queued to the card: 0 High water mark of number of packets in queue: 1 ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Capital Markets Company. http://www.capco.com *********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|