NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-session



I haven't seen this before, but let me suggest one thing.
Why do you force udp encapsulation? You don't have to force it. FW can
automatically detect whether it is behind the NAT device or not. There are
some exceptions that NAT devices which does not change port number even in
Hide NAT. In such cases, you might want to 'force' it. But in general, you
are not supposed to use forced mode for encapsulation.

So I suggest to try without forced mode. But I'm just suggesting this to see
if there is any difference and to find any work around to this problem.

In my experiences, CP's product on W2K needs to be more polished regardless
it is FW or SR. I wouldn't be suprised if you see this kind of weirdness.

Thanks,

Sun Yu, CISSP
Lucent Worldwide Services


> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> Minder, Brian
> Sent: Friday, January 12, 2001 8:39 AM
> To: [email protected]
> Subject: [FW1] SecuRemote 4166/Win2K changes from udp to esp
> mid-session
>
>
>
>
> I'm testing SecuRemote build 4166 on Win2K and I've noticed consistent
> oddness.  While I have "force_udp_encapsulation (true)" on
> the client, the
> session seems to change back and forth from udp to esp over
> time.  Clients
> with routable addresses continue to function, but this breaks
> clients who
> are connecting from behind a NAT device.  Anyone have any
> insight as to what
> might cause this?  I am not experiencing this issue with other
> builds/platforms.  Dumps of portions of the session are below.
>
> Thanks,
>
> -Brian
>
> --
> Brian Minder <[email protected]>
> Systems and Network Engineering, onehealthbank.com
>
>
>
> Here's the problem environment:
>
> P440 running 4.1-SP2/IPSO-3.2.1
> Hybrid IKE w/ TACACS
> Win2K SP1 w/ SecuRemote 4166 with "force_udp_encapsulation (true)"
>
>
>
> The symptoms are:
>
> The client connects, is challenged, and authenticates.  Everything is
> working great, sometimes for quite a while.  A tcpdump of the
> connection
> shows something like the following:
>
> 13:23:34.332713 roadwarrior.2746 > myfirewall.2746:  udp 196
> 13:23:34.335601 myfirewall.2746 > roadwarrior.2746:  udp 588
> 13:23:34.688933 roadwarrior.2746 > myfirewall.2746:  udp 148
> 13:23:34.689969 myfirewall.2746 > roadwarrior.2746:  udp 172
> 13:23:34.989065 roadwarrior.2746 > myfirewall.2746:  udp 172
> 13:23:34.989882 myfirewall.2746 > roadwarrior.2746:  udp 108
>
> After some period of time there's some keying traffic, and
> the session is
> suddenly over esp!  At this point a client who is connecting
> from behind a
> NAT device gets the message "Connection with site SITENAME
> has failed" and
> has to reboot (not just restart SecuRemote) to reconnect.
>
> 13:32:51.297712 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 42fd0406 len: 164
> 13:32:51.300268 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 5dc43f5f len: 60
> 13:32:51.311456 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 42fd0406 len: 60
> 13:32:51.339565 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 5dc43f5f len: 60
> 13:32:51.428555 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 42fd0406 len: 60
> 13:32:51.538545 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> exchange QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 42fd0406 len: 60
> 13:33:08.798800 esp roadwarrior > myfirewall spi 0x9B73C1CA
> seq 1 len 124
> 13:33:08.799560 esp myfirewall > roadwarrior spi 0x90B9CDF6
> seq 1 len 124
> 13:33:09.134993 esp roadwarrior > myfirewall spi 0x9B73C1CA
> seq 2 len 76
> 13:33:15.235756 esp roadwarrior > myfirewall spi 0x9B73C1CA
> seq 3 len 452
> 13:33:15.249257 esp myfirewall > roadwarrior spi 0x90B9CDF6
> seq 2 len 84
> 13:33:41.612521 esp roadwarrior > myfirewall spi 0x9B73C1CA
> seq 4 len 124
> 13:33:41.613161 esp myfirewall > roadwarrior spi 0x90B9CDF6
> seq 3 len 124
> 13:33:41.979623 esp roadwarrior > myfirewall spi 0x9B73C1CA
> seq 5 len 76
>
> Even better, sometimes after a rekey the client is using udp
> encapsulation
> while the FW is using esp, or vice versa:
>
> 13:51:12.284988 roadwarrior.isakmp > myfirewall.773:  isakmp
> v1.0 exchange
> QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 14cd7e32 len: 60
> 13:51:12.374089 myfirewall.773 > roadwarrior.isakmp:  isakmp
> v1.0 exchange
> QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 7e5149e2 len: 60
> 13:51:12.385145 roadwarrior.isakmp > myfirewall.773:  isakmp
> v1.0 exchange
> QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 14cd7e32 len: 60
> 13:51:12.484044 myfirewall.773 > roadwarrior.isakmp:  isakmp
> v1.0 exchange
> QUICK_MODE encrypted
>         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> 7e5149e2 len: 60
> 13:51:19.253692 esp roadwarrior > myfirewall spi 0x9B73C1CD
> seq 1 len 452
> 13:51:19.265618 myfirewall.2746 > roadwarrior.2746:  udp 76
> 13:51:44.409883 esp roadwarrior > myfirewall spi 0x9B73C1CD
> seq 2 len 124
> 13:51:44.410559 myfirewall.2746 > roadwarrior.2746:  udp 116
> 13:51:44.810868 esp roadwarrior > myfirewall spi 0x9B73C1CD
> seq 3 len 76
> 13:52:17.206839 esp roadwarrior > myfirewall spi 0x9B73C1CD
> seq 4 len 124
> 13:52:17.207597 myfirewall.2746 > roadwarrior.2746:  udp 116
> 13:52:17.545791 esp roadwarrior > myfirewall spi 0x9B73C1CD
> seq 5 len 76
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.