[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
Further Information: >From the Firewall activity at the office, the initial login attempt appears to come from my ICS server address, which is obviously correct & so works. All further traffic shows the source address of the actual client machine, so replies can't actually reach it. This implies that it is something local on the client, but what?? ----- Original Message ----- From: "Mike Crowhurst" <[email protected]> To: <[email protected]> Sent: Wednesday, June 12, 2002 6:51 AM Subject: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS > I'll reply to all three in one.... > > > In one of your many rebuilds of the XP desktop, did you install any new > > windows patches from update? M$ seem to have a thing for changing > > configurations when they install these. > > > > just a thought > > > > rich > > Yes, without a doubt, I'm a regular visitor to the WindowsUpdate site and > apply all the relevant patches. The only reason I'm not focussing on the XP > machine is that things broke when the office config changed, rather than > after any changes to the XP ICS server. > > > I am not going to argue with you if you had this working. Can you give us > > any more information about what is happening? Have you been able to > > perform a traffic dump to see where things are failing? > > > > When the gateways IP address changed, did anything else change with it? > > > > Are you forcing UDP encapsulation, etc.? > > My thanks for not arguing, although I was expecting several "It can't work > via ICS" replies. I've read enough articles on the internet detailing how it > is not supported via ICS as it doesn't work. Were it not for the fact that > I've spent countless hours connected to the office via SecureClient 4.1 and > ICS I'd have been forced to agree with the weight of popular opinion. In any > case, I'm sorry I didn't supply too much detail regarding the changes at the > office, but as I'm sure you're aware, publicising Firewall & network details > is often not the best way to go. > > Basically though it was actually a fairly major change. We currently have > two seperate ISP links at the office, but as one of them is via the rapidly > sinking KPNQwest, all our connections are being transferred at present onto > just one. The VPN was configured via the KPNQwest based link. This has been > transferred over and is now working via the other ISP's link, which is why > the address changed. Theoretically the configuration of the VPN itself has > not changed, aside from the work necessary to transfer it. This does seem to > be the case, as connection to the VPN is possible, just only via a direct > internet connection rather than via ICS. > > It has to be said at this point, that several people at the office have > never been able to get the VPN working via ICS, whilst up until now I have > never had a problem. I do not however recall having had to make any special > changes on my workstation here to get this going, in fact at one point I > deliberately stripped the SecureClient off completely, re-installed it, > copied in the office UserC.C file (easiest way to setup the connection > details) and it worked straight off. > > I have now tried configuring the SecureClient with UDP Encapsulation on & > off, but see no difference either way. > > >Have you checked all of the adapters SecureClient is bound to and made sure > the QOS agent is disabled? > > > >Frank > > Yes, the network configuration on the XP machine hasn't changed, QOS > disabled, and the SecureClient is bound to all adapters on the 2000 client > machine. > > If I start up the SecureClient, but don't log in, then try to communicate > with the office network I do immediately get the login dialog window pop-up, > so I'm sure the client is trying to handle the appropriate traffic. > > I've now installed MS Network monitor on both machines and run captures > whilst connected to the VPN. When dialled up to the internet with the VPN > working, a ping to an office server shows the expected Netmon capture - > packets going back & forth between my workstation and the office firewall. > > When I disconnect and go back to using my home LAN and ICS, Netmon captures > on the ICS client and server show pings leaving the workstation, apparently > headed for the real destination address, then leaving the ICS server headed > for the office firewall. Pretty much what I'd expect, as I'd run these kind > of captures before, back when it used to work. Now however, I get no packets > back at all. > > I'm going to be trying to get someone at the office to check the FW-1 logs > to see what they can see from that end, but don't have those details yet. > > Any suggestions welcomed. > > Mike > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|