NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NAT disappears



Hello George.

Welcome to my world.

I have ticket open at checkpoint for this problem i will keep you informed.
If you get a solution on this one please inform me.

Regards

Johan



----- Original Message -----
From: "Janz, George" <[email protected]>
To: <[email protected]>
Sent: Monday, February 26, 2001 2:28 PM
Subject: [FW1] NAT disappears


>
> For some time we had a problem with address translation.  In all cases,
the
> problem has been with entities - both hidden and static, that have been in
> place for quite some time.  This absolutely eliminates routing as a cause.
>
> We run 19 Firewalls - 4 NT and 15 Nokia 330s.  Checkpoint on NT is at 4.1
> SP3.  Checkpoint on the Nokias is 4.1 SP2 with flows running on IPSO
> 3.3-FCS3. The remotes are loaded from a NT mgmt console also running 4.1
> SP3.
> The problem exhibits itself as follows.  We have remotes that hide
multiple
> 10Dot address spaces.  For no apparent reason, one of the hidden address
> spaces looses its ability to browse the Internet.  Examination of traffic
on
> the outside interface shows that the 10Dots are not being translated.  It
> also exhibits itself for statically translated entities.  For example - a
> previously availalbe OWA server is no longetr accessible.
> In lots of cases, pushing a policy to the failing remote fixes the
problem.
> In some cases it does not.  When it does not, the process of resusitating
> the remote is very painful.  We have to unload the Firewall, FWstop,
delete
> the state tables, FWstart.
> We have tried applying HOTfix 3701 but it seemed to make it worse, so we
> backed it off.  We have tried making the connection table bigger, no luck
> here either.
> The only relief we get is when we eliminate all translation rules
generated
> automatically.  We have to do all address translation manually and this
> seems to stop the problem from occurring.  This is an undesirable solution
> because it creates alot of extra work in setting up entities.
> Things we have tried but have not seemed to help:
> In objects.C we changed:
> :nat_limit (25000)
> nat_hashsize (16384)
> to
> :nat_limit (50000)
> :nat_hashsize (65536)
> Note: objects.C remains modified as above.
> We also tried increasing the size of the connections table in the
table.DEF
> file to hashsize 65536 limit 50000.  This also did not seem to help.
Note:
> table.def was reset to 8192 limit 25000.
> Table.def has also been modified to keep VPN connection alive during a
> reload of a policy.  Therefore, 'keep' was added after dynamic.
> connections = dynamic keep refresh sync expires TCP_START_TIMEOUT
>
> The above change was made a year ago on the 4.0 SP3 firewall mgmt cosole
and
> carried forward to preserve the VPNs during a reload.
>
> The bottom line here is that the only change that has caused a positive
> impact was to make stop using automatically generated NAT rules and to do
> them manually.  The VAR I use made this suggestion as well as the others
> above.  We are both at our wits end trying to resolve this.  If it proves
> out the using manual NAT rules versus autoNAT rules gets around the
problem,
> I will go in this direction until some time in the future when I'll try
> autoNat again.  I think the VAR has gone a good job as far as helping me,
> however, the problem goes unresolved and has had the unfortunate side
effect
> to giving a previously almost perfectly performing network a very bad
black
> eye.
>
>
> George Janz
>North Stonington
>Fairfax
> [email protected]
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.