Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] ISAKMP AddNegotiation: try to handle too many negotiations

To: "'[email protected]'" <[email protected]>, Firewalls <[email protected]>
Subject: [FW1] ISAKMP AddNegotiation: try to handle too many negotiations
From: cristian nicolae <[email protected]>
Date: Sun, 14 Jan 2001 20:59:40 +0100
Sender: [email protected]

Dear all,
In my firewall logs (Nokia IP650 running Firewall-1 v4.1 SP2) the
message  
ISAKMP AddNegotiation: try to handle too many negotiations
appears repeatedly filling up my logs.

The context is the following:
- an IPSec VPN between my box and another Nokia IP650 box with IKE
subnet key negociation enabled is currenly running without problems
- another IPSec VPN between my box and a CISCO router (IOS with IPSec
firewall feature set) with IKE key negociation per host is also running
but with some failed key negociations (the usual message "No response
from peer appears in my firewall-1 logs).

I suspect that these failures in negociating a key between CISCO and
Nokia are partly, at least, attributable to the limited number of
simultaneous ISAKMP key negociations FW-1 can handle at once.

According to Phoneboy (http://www.phoneboy.com/fw1/faq/0373.html) this
problem is present only in v4.0 of FW-1. 

I could not manage to enable subnet key negociations on the CISCO (it
looks to me that this feature is not yet present). 

I have also checked the Nokia Knowledge Base. In the resolution 2093
which covers this subject, they say 
"[...]The limitation of 100 concurrent IKE negotiations will be made
dynamic
in the next version of FireWall-1 scheduled for after the middle of
2000."

I would like to know if any of you have experienced this problem, in
particular, in relation to the VPN between Nokia and CISCO and if
generally those of you who have setup such VPNs (FW-1 <-> CISCO) are
experiencing bad performance/problems/packet loss/failed key
negociations followed by succesful key negociations, etc.

I mention that I took care about the keys lifetime and I have set them
to be the same on Nokia and CISCO. 

Thanks very much in advance for your help.

Cristian Nicolae


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Losing Connections to Mapped Network Drives
Next by Date: RE: [FW1] Opinion: Blocking hotmail, etc?
Previous by thread: [FW1] Losing Connections to Mapped Network Drives
Next by thread: [FW1] SMS and X11 through SecuRemote
Index(es):
- Date
- Thread