Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] VPNs bouncing!

To: [email protected], [email protected]
Subject: [FW1] VPNs bouncing!
From: [email protected]
Date: Tue, 27 Mar 2001 19:31:09 -0500
Sender: [email protected]

Hoping to get a bit of info from people here....

Enviro:

Central Site
-----------------
FW - IP650, IPSO 3.2.1, FW1 4.1 SP2
MGMT - NT 4.0, SP6, FW1 4.1 SP3

Remote Sites
----------------------
FW /MGMT Svr A - NT 4.0 SP6, FW1 4.0 SP5/6 (I believe)
FW /MGMT Svr B - Solaris 7, FW1 4.1 SP2


I have the Central Site Firewall as a hub with site-to-site VPNs to FW A
(4.0) and FW B (4.1) both using IKE encryption.  I'm running into major
problems with my VPNs bouncing.  I'm seeing the "...too many IKE
negotiations" error messages.  I'm currently NOT using Subnet Key Exchange
for IKE because of the one remaining 4.0 firewall.  An upgrade is in the
works (as is the migration to subnet key exchange).  My problem is that
periodically my VPNs will stop functioning to all sites.  But all other
firewall traffic continues to flow without a hitch!  FTP, Telnet, HTTP, all
no problem.  The only thing that ceases to function is VPNs or anything to
do with encryption...it even seems to be affecting Securemote connections.
I check the ISAKMP daemon and it's still running as far as I can see.  The
problem only appears to be with encryption.   My theory is that the
firewall is getting overloaded with IKE encryption but I can't figure out
how to tell exactly.  IKE.elg doesn't mean much to me...it's too cryptic.
One question I pose is this:

If during, lets say a Telnet session to a host over a VPN, the firewalls
try to REnegotiate (remember we are in host key exchange mode here), and
let's say that our attempted renegotiation is number 101, out of 100
concurrent IKE negotions allowed, to my firewall.  Since I'm no 101, what
happens to my session ?  Do I get cut off ? session drops ?  OR do I
continue to function, with the firewall continuing to find a "window" to
renegotiate ?

I pose this question because I have recieved both a YES AND a NO from
Checkpoint themselves!!  So what I need here is a definative answer !

To make things worse...the VPNs will come back  up after a while...and I
haven't doen a thing in terms of changes !    I'm at a total loss here as
to what is causing the problem.  Any insight from anyone would be greatly
appreciated!

Thanks in Advance.

Chad Smith
Sr. Network Engineer
Vertis, Inc."The purpose of the race is not necessarily to win, but to test the limits
of the human heart"



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Split DNS
Next by Date: Re: [FW1] fwfrag_timeout
Previous by thread: RE: [FW1] Xwindows through VPN
Next by thread: [FW1] SecuRemote 4.1 SP3 on W2K, Invalid Handle error
Index(es):
- Date
- Thread