[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] IPSEC VPN hanging: NG
For your information: After (manually) migrating our Firewall from 4.1 to NG, we had a lot of VPN problems. SecuRemote users couldn't use MS Exchange anymore, and some other connections were simply dropped by the NG firewall without any warning in the log viewer, nor in vpnd.elg in debug mode. The solution was to allow NG to fragment IPSec packets. This was done by using the dbedit command on the management server and editing the firewall object using the following command: modify network_objects <name_of_fw_obj> ipsec_dont_fragment false update network_objects <name_of_fw_obj> I didn't find any documentation about these kind of settings, which are critical when upgrading to NG. I was lucky to find it out within one day, but it could have been weeks. VPN-1 4.1 also didn't fragment IPSec packets, so why this difference? Happy debugging. Marc ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|