[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] ISAKMP AddNegotiation: try to handle too many negotiations
Dear all, In my firewall logs (Nokia IP650 running Firewall-1 v4.1 SP2) the message ISAKMP AddNegotiation: try to handle too many negotiations appears repeatedly filling up my logs. The context is the following: - an IPSec VPN between my box and another Nokia IP650 box with IKE subnet key negociation enabled is currenly running without problems - another IPSec VPN between my box and a CISCO router (IOS with IPSec firewall feature set) with IKE key negociation per host is also running but with some failed key negociations (the usual message "No response from peer appears in my firewall-1 logs). I suspect that these failures in negociating a key between CISCO and Nokia are partly, at least, attributable to the limited number of simultaneous ISAKMP key negociations FW-1 can handle at once. According to Phoneboy (http://www.phoneboy.com/fw1/faq/0373.html) this problem is present only in v4.0 of FW-1. I could not manage to enable subnet key negociations on the CISCO (it looks to me that this feature is not yet present). I have also checked the Nokia Knowledge Base. In the resolution 2093 which covers this subject, they say "[...]The limitation of 100 concurrent IKE negotiations will be made dynamic in the next version of FireWall-1 scheduled for after the middle of 2000." I would like to know if any of you have experienced this problem, in particular, in relation to the VPN between Nokia and CISCO and if generally those of you who have setup such VPNs (FW-1 <-> CISCO) are experiencing bad performance/problems/packet loss/failed key negociations followed by succesful key negociations, etc. I mention that I took care about the keys lifetime and I have set them to be the same on Nokia and CISCO. Thanks very much in advance for your help. Cristian Nicolae ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|