NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] IPSec tunnel issue



Hi,

I have the following VPN setup:

                                        PROTECTED NETWORK A
                                                 |
Nokia IP440, CP 4.1 SP5a <---backup VRRP master---> Nokia IP440, CP 4.1 SP5a
                                                 |
                                            INTERNET

                                                 |
                                        Nokia IP440, CP 4.1 SP4
                                                 |
                                        PROTECTED NETWORK B

The IPSec VPN runs between the to networks with the firewalls acting as
endpoints.

The issue I see is that ICMP packets not seem to go through right away when
I ping from Network B to A. The first 5 pings fail, but when I initiate a
serie of five again, it succeeds..

When I do a trace from network B into the IPSec tunnel, I notice that
packets are decrypted at the backup FW instead of the master FW as one
should expect at Network A. I have verified ARP-tables, routing and VRRP and
everything looks OK. That is: traffic should be routed to the master FW..

When doing a tcpdump on the external interface of the backup FW I clearly
see IPSec packets being exchanged to the peer FW. Also in the FW log I see
packets being decrypted on the backup FW.

Does someone has a clue what is going on? I have the feeling especially ICMP
traffic is affected by this.. Somehow the FW @ network B thinks the backup
FW @ network A is the peer for the IPSec tunnel. It is not a large problem
as other traffic runs fine, but I have noticed that when the backup FW
fails, the VPN traffic is not taken over by the master..

Regards,

Nils Kolstein
Internetworking Engineer
CCSA, CCSE
Planet Technologies
E-mail: [email protected]
tel: (+31) (0)33-4513545
fax: (+31) (0)33-4513101

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.