[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SP4 VPN email issues
I upgraded my firewall two days ago to SP4 and so far everything seems OK with the exception of one new problem. I have six Sonicwalls at branch offices connected to my firewall. The Sonicwalls are set up email me their logs each day, and since the upgrade to SP4 the email from all of them has stopped working. It's very odd. If I look at the logs prior to the upgrade here's what I see (.33 is my firewall public IP address, .34 is the mail server public IP address): "15:02:07" "daemon" "X.X.84.33" "log" "decrypt" "smtp" "10.30.0.1" "X.X.84.34" "tcp" "31" "1063" "" "0x00001231" "0x00001231" "" "" "" "X.X.84.34" "1063" "smtp" "firewall" " scheme: Manual IPSec" "15:02:07" "daemon" "X.X.84.33" "log" "accept" "smtp" "10.30.0.1" "X.X.84.34" "tcp" "31" "1063" "" "" "" "" "" "" "" "" "" "firewall" " agent mail server orig_from <[email protected]> orig_to <[email protected]>" "15:02:09" "daemon" "X.X.84.33" "log" "accept" "smtp" "10.30.0.1" "10.0.16.11" "tcp" "31" "1063" "" "" "" "" "" "" "" "" "" "firewall" " agent mail dequeuer orig_from <[email protected]> orig_to <[email protected]> from <[email protected]> to <[email protected]> reason Content Security Server has approved the requested resource" Sorry for the log wrapping, but basically the log shows the email destined for the external address of my mail server as coming in encrypted, something I wouldn't expect as the external IP of my mail server is NOT in the encryption domain for the firewall. Nonetheless, FW1 dutifully translates the address to the internal mail server (10.0.16.11) and the CVP server lets it through. In other words, the mail gets delivered over the VPN. Now here's what the log looks like after SP4: "17:09:36" "E100IB1" "204.97.84.33" "log" "drop" "1113" "10.30.0.1" "204.97.84.33" "tcp" "29" "1031" "" "" "" "" "" "10.30.0.1" "204.97.84.34" "1031" "smtp" "firewall" " len 60" Notice the service is now 1113, not SMTP, the packet is showing up on the external interface and not from the daemon (so it's not coming across the VPN any more), and the destination is shown as the firewall's public IP address, not the mail server public IP. But if you look at translation info the destination is the external mail server IP with SMTP. Very werid. Rule 29 is my FW stealth rule, and it drops the traffic since it was destined for the firewall. So it's almost as if SP3 was allowing the connection to come through the VPN when it shouldn't have been, and SP4 has "fixed" that. Now if I could just figure out why the traffic is going to the wrong IP address... Does this make sense to anyone? Geoff ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|