[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] One way encryption
>Has any one encountered this problem? I have a VPN tunnel between 2 >countries (SG and AU). The tunnel has been working fine, until this >morning, it becomes a one-way tunnel ie. SG-AU is ok, but AU-SG failed. >You can see that the AU fw encrypt the packet but you will never see it >decrypt at SG fw, no drop or reject packet deteced on the log. I really >need HELP on this. Not seeing anything on the logs of the/from the peer firewall introduces the following possible scenarios: 1. If you have an encryption accelerator card (Chrysalis card) - it may have gone bad. Although VPN-1/FireWall-1 "should" re-route encryption to software, it doesn't work. Encryption just stops working. I would check the system logs to see if anything is showing up about the Accelerator card. If you disable the card - the VPN should start working. 2. Someone has made a change on routers/firewalls that go between the two firewalls. Some form of access list has been applied on either side, and may be blocking ESP/AH type packets (IP type 50 and 51 respectively). This could be on the peer end where the VPN is working - i.e. the access list allows ALL traffic out, but is blocking inbound. This would explain the inbound IP type 50/51 packets being dropped and never appearing at the peer end. Or, your Internet service provider may have decided to block IP type 50/51 packets - this is really really RARE.. but a possibility. Good luck, Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|