[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure
Why would/should I unsubscribe? I like being on this list, and I read the messages -- sometimes, all the way to the end. > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of > Sharma, Pankaj > Sent: Wednesday, May 22, 2002 12:37 PM > To: [email protected] > Subject: Re: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure > > > Please unsubscribe. Thanks. > > -----Original Message----- > From: Chris McFarling [mailto:[email protected]] > Sent: Wednesday, May 22, 2002 3:07 PM > To: [email protected] > Subject: [FW-1] Win2K Domain Thru FW-1 VPN v3.0b Failure > > > [DC_A] domain controller for mydomain.com > | > | > int_interface > [FireWall_A] > ext_interface > | > | > internet > | > | > ext_interface > [FireWall_B] > int_interface > | > | > [DC_B] domain controller for myotherdomain.com > > I'm trying to set up a Win2K domain forest consisting of 2 > domain trees. > Both domains are behind FW-1 v3.0b (base, no build#). A VPN > tunnel is in > place between both firewalls utilizing SKIP. The domain > 'mydomain.com' is > the root domain of the forest. I want to add > 'myotherdomain.com' to this > forest through the VPN. Both internal networks are using > non-routable IP > addresses. Communication between both internal nets is functioning > properly--I can ping back-n-forth and mount shares from > either side. When I > try to add myotherdomain.com to the domain forest by running > dcpromo, the > process gets to the point of creating a trust relationship > between the two > domains and then fails with the error "The remote procedure > call failed and > did not execute." I ran a trace on both machines durring the > domain joining > process and found that at a certain point DC_B sends an RPC > Request to DC_A > but it never reaches its destination. There is nothing in > either FW-1 log to > indicate that a problem has occurred. Both firewalls have "Enable RPC > Control" checked. I also edited fwui_head.def to uncomment > the line " /* > #define RPC_OVER_TCP */ ". Microsoft has an RPC ping utility > for testing RPC > connectivity. I ran this between the two domain controllers and had no > problems. This seems to definitely be related to some sort of > RPC issue with > FW-1 though. FYI, I tried joining the two domains together > when they were > both on the same subnet, basically removing FW-1 from the > equation, and it > completed successfully. > I know this is an old version of FW-1 and that that might be the whole > problem alltogether. However, if something else is happening > here, I'd love > to figure it out. > > I've inculed links to the network captures below. These > captures depict a > particular TCP session between these two machines that fails. > Everything > goes as it should until DC_B sends packet #1908, an RPC > Request, to DC_A. > That packet never reaches DC_A (it should have been #1487 on > DC_A's capture) > which causes DC_A to eventually send a RST. What would cause > this packet to > disappear like that? > > http://www.crl.aps.vertisinc.com/temp1/DC_A.txt > http://www.crl.aps.vertisinc.com/temp1/DC_B.txt > > -- > Chris McFarling > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|