[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] VPNs bouncing!
Hoping to get a bit of info from people here.... Enviro: Central Site ----------------- FW - IP650, IPSO 3.2.1, FW1 4.1 SP2 MGMT - NT 4.0, SP6, FW1 4.1 SP3 Remote Sites ---------------------- FW /MGMT Svr A - NT 4.0 SP6, FW1 4.0 SP5/6 (I believe) FW /MGMT Svr B - Solaris 7, FW1 4.1 SP2 I have the Central Site Firewall as a hub with site-to-site VPNs to FW A (4.0) and FW B (4.1) both using IKE encryption. I'm running into major problems with my VPNs bouncing. I'm seeing the "...too many IKE negotiations" error messages. I'm currently NOT using Subnet Key Exchange for IKE because of the one remaining 4.0 firewall. An upgrade is in the works (as is the migration to subnet key exchange). My problem is that periodically my VPNs will stop functioning to all sites. But all other firewall traffic continues to flow without a hitch! FTP, Telnet, HTTP, all no problem. The only thing that ceases to function is VPNs or anything to do with encryption...it even seems to be affecting Securemote connections. I check the ISAKMP daemon and it's still running as far as I can see. The problem only appears to be with encryption. My theory is that the firewall is getting overloaded with IKE encryption but I can't figure out how to tell exactly. IKE.elg doesn't mean much to me...it's too cryptic. One question I pose is this: If during, lets say a Telnet session to a host over a VPN, the firewalls try to REnegotiate (remember we are in host key exchange mode here), and let's say that our attempted renegotiation is number 101, out of 100 concurrent IKE negotions allowed, to my firewall. Since I'm no 101, what happens to my session ? Do I get cut off ? session drops ? OR do I continue to function, with the firewall continuing to find a "window" to renegotiate ? I pose this question because I have recieved both a YES AND a NO from Checkpoint themselves!! So what I need here is a definative answer ! To make things worse...the VPNs will come back up after a while...and I haven't doen a thing in terms of changes ! I'm at a total loss here as to what is causing the problem. Any insight from anyone would be greatly appreciated! Thanks in Advance. Chad Smith Sr. Network Engineer Vertis, Inc."The purpose of the race is not necessarily to win, but to test the limits of the human heart" ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|