Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN stopped working suddenly!!

To: [email protected]
Subject: Re: [FW-1] VPN stopped working suddenly!!
From: Chris Moore <[email protected]>
Date: Wed, 18 Sep 2002 12:06:54 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Interesting problem.  I was trying to specifically generate key exchange
traffic when I saw none, but I was unsuccessful.  What's the best way to do
this other than pushing the policy and forcing SR updates?

Thanks!
...
Chris

> -----Original Message-----
> From: <Aaron Reynolds> [mailto:[email protected]]
> Sent: Monday, September 16, 2002 5:11 PM
> To: [email protected]
> Subject: Re: [FW-1] VPN stopped working suddenly!!
>
>
> Don't know about FP2, but 4.1 SP6 has a bug, in which the
> isakmpd daemon
> will run up CPU utilization and not recover.  I got a bunch of the
> "InvokeIsakmpServer: can't bind socket: Operation not
> permitted" errors
> during the initial troubleshooting of this.  Check to see whether your
> firewall responds to any key exchange traffic (udp 500).
> Ours did not,
> until we did a "kill -9" on the isakmpd PID.  An
> fwstop/fwstart would not
> kill the isakmpd daemon, and that is when we would get the "can't bind
> socket" errors.  fwstart would try to start the daemon, when
> it was already
> running.  Let me know.
>
> -Aaron
>
> -----Original Message-----
> From: Chris Moore [mailto:[email protected]]
> Sent: Monday, September 16, 2002 1:15 PM
> To: [email protected]
> Subject: [FW-1] VPN stopped working suddenly!!
>
>
> Hello,
>
> All of a sudden, all VPN activity stopped without notice.
> Here's the errors
> I have observed (some never seen!):
>
>
> ------------------------------------------------------------
> in FW1 log:
> ===========
> 1. (any VPN traffic) drop --> encryption failure:
> Encryption/Decryption
> failure
> 2. (any VPN traffic) drop --> encryption failure: temporary
> unavailable
> resources
> 3. (last FW1 specific entries)
>         9/14 - 18:57    key install     (SR user)
>         9/14 - 19:05    decrypt (SR user)
>         9/14 - 19:44    login           (SR user)
>         9/14 - 19:45    key install     --> Internal_CA:
> General CRL renewed
> (???)
>
> debug info:
> ===========
> vpnd.elg        -->     InvokeIsakmpServer: can't bind
> socket: Operation not
> permitted
>
> fwd.elg -->     fwauthd: cannot run server in.aufpd:
> Authentication Services
> are unavailable. Connection refused.
>
> fwd.elg -->     fwsync: failed to read cluster sync mode!
> ------------------------------------------------------------
>
>
> As for the fw.log entries, there have been no more "key
> install" actions
> since the date above (including site-site and site-client
> VPN's).  The SR
> error is the same old "communication with site x.x.x.x has failed".
>
> Can anyone give me a clue as to what the problem might be?
>
> I've tried restarting the FW1 services (cprestart).  I've
> also checked the
> routing tables and NAT rules...everything in order as always.
>
> My config:
> ==========
> FW1 NG-FP2 Build 52163
> Redhat 7.2 - kernel 2.4
>
>
> Thanks as always!
> ...
> Chris
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] VPN Client
Next by Date: Re: [FW-1] VPN Client
Previous by thread: Re: [FW-1] VPN stopped working suddenly!!
Next by thread: [FW-1] Sonicwall to NG FP1 VPN problem
Index(es):
- Date
- Thread