Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure

To: [email protected]
Subject: Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
From: David Gillett <[email protected]>
Date: Wed, 22 May 2002 13:28:55 -0700
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

  Why would/should I unsubscribe?  I like being on this list, and I read the
messages -- sometimes, all the way to the end.

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of
> Sharma, Pankaj
> Sent: Wednesday, May 22, 2002 12:37 PM
> To: [email protected]
> Subject: Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
>
>
> Please unsubscribe. Thanks.
>
> -----Original Message-----
> From: Chris McFarling [mailto:[email protected]]
> Sent: Wednesday, May 22, 2002 3:07 PM
> To: [email protected]
> Subject: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
>
>
> [DC_A]  domain controller for mydomain.com
>      |
>      |
> int_interface
> [FireWall_A]
> ext_interface
>      |
>      |
> internet
>      |
>      |
> ext_interface
> [FireWall_B]
> int_interface
>      |
>      |
> [DC_B]  domain controller for myotherdomain.com
>
> I'm trying to set up a Win2K domain forest consisting of 2
> domain trees.
> Both domains are behind FW-1 v3.0b (base, no build#). A VPN
> tunnel is in
> place between both firewalls utilizing SKIP. The domain
> 'mydomain.com' is
> the root domain of the forest. I want to add
> 'myotherdomain.com' to this
> forest through the VPN. Both internal networks are using
> non-routable IP
> addresses. Communication between both internal nets is functioning
> properly--I can ping back-n-forth and mount shares from
> either side. When I
> try to add myotherdomain.com to the domain forest by running
> dcpromo, the
> process gets to the point of creating a trust relationship
> between the two
> domains and then fails with the error "The remote procedure
> call failed and
> did not execute." I ran a trace on both machines durring the
> domain joining
> process and found that at a certain point DC_B sends an RPC
> Request to DC_A
> but it never reaches its destination. There is nothing in
> either FW-1 log to
> indicate that a problem has occurred. Both firewalls have "Enable RPC
> Control" checked. I also edited fwui_head.def to uncomment
> the line " /*
> #define RPC_OVER_TCP */ ". Microsoft has an RPC ping utility
> for testing RPC
> connectivity. I ran this between the two domain controllers and had no
> problems. This seems to definitely be related to some sort of
> RPC issue with
> FW-1 though. FYI, I tried joining the two domains together
> when they were
> both on the same subnet, basically removing FW-1 from the
> equation, and it
> completed successfully.
> I know this is an old version of FW-1 and that that might be the whole
> problem alltogether. However, if something else is happening
> here, I'd love
> to figure it out.
>
> I've inculed links to the network captures below. These
> captures depict a
> particular TCP session between these two machines that fails.
> Everything
> goes as it should until DC_B sends packet #1908, an RPC
> Request, to DC_A.
> That packet never reaches DC_A (it should have been #1487 on
> DC_A's capture)
> which causes DC_A to eventually send a RST. What would cause
> this packet to
> disappear like that?
>
> http://www.crl.aps.vertisinc.com/temp1/DC_A.txt
> http://www.crl.aps.vertisinc.com/temp1/DC_B.txt
>
> --
> Chris McFarling
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
  - From: Stan Holmes <[email protected]>
- Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
  - From: Jim Parker <[email protected]>

References:
- Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
  - From: "Sharma, Pankaj" <[email protected]>

Prev by Date: Re: [FW-1] UNSUBSCRIBE
Next by Date: Re: [FW-1] Please unsubscribe me.
Previous by thread: Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
Next by thread: Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
Index(es):
- Date
- Thread