[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] NAT disappears
For some time we had a problem with address translation. In all cases, the problem has been with entities - both hidden and static, that have been in place for quite some time. This absolutely eliminates routing as a cause. We run 19 Firewalls - 4 NT and 15 Nokia 330s. Checkpoint on NT is at 4.1 SP3. Checkpoint on the Nokias is 4.1 SP2 with flows running on IPSO 3.3-FCS3. The remotes are loaded from a NT mgmt console also running 4.1 SP3. The problem exhibits itself as follows. We have remotes that hide multiple 10Dot address spaces. For no apparent reason, one of the hidden address spaces looses its ability to browse the Internet. Examination of traffic on the outside interface shows that the 10Dots are not being translated. It also exhibits itself for statically translated entities. For example - a previously availalbe OWA server is no longetr accessible. In lots of cases, pushing a policy to the failing remote fixes the problem. In some cases it does not. When it does not, the process of resusitating the remote is very painful. We have to unload the Firewall, FWstop, delete the state tables, FWstart. We have tried applying HOTfix 3701 but it seemed to make it worse, so we backed it off. We have tried making the connection table bigger, no luck here either. The only relief we get is when we eliminate all translation rules generated automatically. We have to do all address translation manually and this seems to stop the problem from occurring. This is an undesirable solution because it creates alot of extra work in setting up entities. Things we have tried but have not seemed to help: In objects.C we changed: :nat_limit (25000) nat_hashsize (16384) to :nat_limit (50000) :nat_hashsize (65536) Note: objects.C remains modified as above. We also tried increasing the size of the connections table in the table.DEF file to hashsize 65536 limit 50000. This also did not seem to help. Note: table.def was reset to 8192 limit 25000. Table.def has also been modified to keep VPN connection alive during a reload of a policy. Therefore, 'keep' was added after dynamic. connections = dynamic keep refresh sync expires TCP_START_TIMEOUT The above change was made a year ago on the 4.0 SP3 firewall mgmt cosole and carried forward to preserve the VPNs during a reload. The bottom line here is that the only change that has caused a positive impact was to make stop using automatically generated NAT rules and to do them manually. The VAR I use made this suggestion as well as the others above. We are both at our wits end trying to resolve this. If it proves out the using manual NAT rules versus autoNAT rules gets around the problem, I will go in this direction until some time in the future when I'll try autoNat again. I think the VAR has gone a good job as far as helping me, however, the problem goes unresolved and has had the unfortunate side effect to giving a previously almost perfectly performing network a very bad black eye. George JanzNorth StoningtonFairfax [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|