[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Chrysalis-ITS and CheckPoint 2000 SP2
That's identical to my issues with these adapters. 3 out of 4 cards fail and exhibit erratic behavior. The cards work after the installer inserts the module (in Solaris). Once they're bounced (fw accel on|off) however, they no longer work. The technical savvy at ISS claims a high failure rate of these adapters to be a commonplace. They report all sorts of odd drops in the log viewer as well: -snip- 8:39:22 drop <MY-FW> >daemon proto 206 src 147.248.242.113 dst 69.0.0.60 rule 0 decryption failure: VPN-1 Accelerator Card reports error scheme: IKE -snip- The interesting thing is that neither address is associated with the firewall and no traffic to either should be passing through. I am unable to capture this traffic on the wire, though. Peter Lukas On Mon, 27 Nov 2000, Chilton Tim wrote: > Hmm, > > I'm also having problems with these cards on NT4, SP6a. > I have 10 cards in total and of the 3 I'm using so far, two have failed > (both ends of a VPN - which took a while to diagnose ... :-< ) > > I too see the same _reset errors in the event logs plus a slew of other > errors including > > Resource reporting problem E0000211 > _reset: elapsed =546 msec > _do_smachine : Device error > _tx: Token window lost sync > > then after a while > _do_smachine : too many errors, disabling device > > The thing to do is to turn the accellerator card off with "fw accel off" > then run a "lunadiag" - mine all fail on test 3 (ie the first card related > test) with an access violation error on NT > > Replacing the cards or turning off the driver restores comms between the > firewalls - so it's fairly easy to diagnose - once you've been burned once. > > I'm currently getting replacement cards from Chrysalis via Checkpoint - > since they supplied them - I'm taking bets on the timeframe side of things > if anyones interested ;-] > > Hope this helps > > Cheers > > Tim > > -----Original Message----- > From: Peter Lukas [mailto:[email protected]] > Sent: 13 November 2000 16:33 > To: [email protected] > Subject: [W1] Chrysalis-ITS and CheckPoint 2000 SP2 > > > > Greetings, > > Does the Luna VPN adapter (VPN-1 Accelerator) function reliably on a > Solaris 2.7 CPfw1-41 SP2? I've been able to get them "almost" functional > under SP1 and SP2, but have observed some strange behavior. For example, > the card will attempt to initalize and dump errors, but the firewall > logger reports a dropped packet to/from an IANA reserved address to a > random Internet address. > > I initially suspected the adapter to have been malfunctioning, but an able > to duplicate the problem on other systems/adapters. Has anyone else > observed this? Is anyone else running 2000 SP2 with the VPN-1 > Accelerator on Solaris? VPN works fine with the adapter disabled, by the > way... > > For those interested, a more technical review of the problem, as well as > some troubleshooting and logging information appears below. > > Regards, > > Peter Lukas > > - Technical Review - > Hardware: > * Sun Netra t1125 (UltraSPARC-IIi 440, 256MB, 2x18.1GB LVD, Sun QFE) > * Luuna VPN-1 Card (Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2) > > Software: > * Solaris 2.7 (5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-60) > * CheckPoint 2000 Service Pack 2 (Version 4.1 Build 41716) > * VPN-1 Accelerator Card Add-On ((sun4u) 3.10) > * StoneBeat High Availability (3.1.5) > > Problem: > The adapter fails to initialize and reports errors to the system > logger. The lunadiag utility fails to properly diagnose the adapter > resulting in a core dump. > > Troubleshooting: > I have an identical system with identical software and the VPN-1 > encryption adapter works with no problems. I have swapped the suspect > VPN-1 adapter with another (working) adapter and the `lunadiag` reported > the adapter to function correctly (passed all tests). After the system > the adapter to function correctly (passed all tests). After the system > was rebooted, however, the VPN adapter no longer worked and exhibited the > same behavior as the initial malfunctioning card. The adapters exhibited > the same behavior before Service Pack 2 was applied to the system as > well. > > What's even more strange is that when the encryption fails, the adapter > initiates a connection to two addresses that are in no way associated with > this firewall, let alone this organization. In the log provided, you can > see the firewall daemon dropping the authentication header with a source > of 231.107.233.149 (University of Southern California) and a destination > of 69.0.0.40 (IANA -Reserved). Neither address should appear on this > device. The addresses will change from time to time, too. In any case, > this does not appear normal. I've snooped the interfaces during this > failure and observed that the traffic does not appear on the interfaces, > however. > > fw log: > 8:29:08 drop <my-fw> >daemon proto ah src 231.107.233.149 dst > 69.0.0.40 rule 0 decryption failure: VPN-1 Accelerator Card reports error > scheme: IKE > # Neither address above is associated with this firewall/network. > > /var/adm/messages: > Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: token window lost sync > Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: dualport: hwwl/hwrl = > 4000000/0000, twwl/twrl = 0000/0000 > Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: driver: hwwl/hwrl = > 4000000/0000, twwl/twrl = 0000/0000 > Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _do_smachine: device error > Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages Begin ----- > Nov 10 12:14:44 <my-fw> unix: Firmware revision 1.43.1.5.1.24. Luna(TM)VPN > 1.29.2 > Nov 10 12:14:44 <my-fw> > File:D:\Projects\firmware\LunaPCI-IF2\source\luna2\main_mod\main.c > Nov 10 12:14:44 <my-fw> Date:Sep 28 1999 > Nov 10 12:14:44 <my-fw> Time14:24:33 > Nov 10 12:14:44 <my-fw> Performing initialization... > Nov 10 12:14:44 <my-fw> Zeroized token > Nov 10 12:14:44 <my-fw> Set TPV to 4003004A > Nov 10 12:14:44 <my-fw> Save label LunaVPN BETA Token > Nov 10 12:14:44 <my-fw> Performed special init token: 0. > Nov 10 12:14:44 <my-fw> Initialization Complete. > Nov 10 12:14:44 <my-fw> input queue offset=0x4000000 too big > Nov 10 12:14:44 <my-fw> CL_FatalError(0x300203) > Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages End ----- > Nov 10 12:14:44 <my-fw> unix: luna0: _reset: elapsed = 640 msec > > # fw accel stat -l: > FW-1: VPN-1 Accelerator Card started > Number of initialization errors: 0 > Number of processing errors: 10 > Number of ESP valid contexts: 1 > Number of AH valid contexts: 0 > Number of packets queued to the card: 0 > High water mark of number of packets in queue: 1 > > > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > ************************************************************************ > The information in this email is confidential and is intended solely > for the addressee(s). > Access to this email by anyone else is unauthorised. If you are not > an intended recipient, you must not read, use or disseminate the > information contained in the email. > Any views expressed in this message are those of the individual sender, > except where the sender specifically states them to be the views of > The Capital Markets Company. > > http://www.capco.com > *********************************************************************** > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|