NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] IPSEC VPN hanging: NG



For your information:

After (manually) migrating our Firewall from 4.1 to NG, we had a lot of
VPN problems. SecuRemote users couldn't use MS Exchange anymore, and some
other connections were simply dropped by the NG firewall without any
warning in the log viewer, nor in vpnd.elg in debug mode.

The solution was to allow NG to fragment IPSec packets. This was done by
using the dbedit command on the management server and editing the firewall
object using the following command:

modify network_objects <name_of_fw_obj> ipsec_dont_fragment false
update network_objects <name_of_fw_obj>

I didn't find any documentation about these kind of settings, which are
critical when upgrading to NG. I was lucky to find it out within one day,
but it could have been weeks. VPN-1 4.1 also didn't fragment IPSec
packets, so why this difference?

Happy debugging.

Marc

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.