[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint NG FP2 + PIX VPN Problem

To: [email protected]
Subject: Re: [FW-1] Checkpoint NG FP2 + PIX VPN Problem
From: Pritish Shah <[email protected]>
Date: Fri, 4 Oct 2002 14:13:15 -0400
Comments: To: [email protected]
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I believe this happens because PIX timeout max is 1440 and the
checkpoint box generally has a higher timeout. We currently have a VPN
connection with a PIX box. The workaround we have done is to clear the
SA on the checkpoint box every three days using cron. Below is the
script.

Regards,
Pritish

troywallA[admin]# more clear_sa_table
#!/bin/csh
fw tab -t IKE_SA_table -x << EOF
yes
EOF
fw tab -t ISAKMP_ESP_table -x << EOF
yes
EOF
fw tab -t inbound_SPI -x << EOF
yes
EOF
fw tab -t ISAKMP_AH_table -x << EOF
yes
EOF

>>> [email protected] 10/04/02 12:28PM >>>
Raghavendra B V <[email protected]> said:
Problem Description:The VPN works fine between checkpoint &
Pix.Randomly
the
connection drops & the vpn stops working.In this case i have to reboot
PIX
(clear ipsec SA)every time.Once in 15-20 days it happens.
The log file of checkpoint says
encryption failure: Packet is dropped as there is no valid SA.
------

I have the same problem. But in my case, the VPN acts strangely : the
connection stops working after some time of inactivity... I have not
been
able to find any reason for this. Apprently, making a traceroute makes
the
VPN go up again...

--
Mr Lo

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Q about 2+ interfaces on nokia boxes
Next by Date: Re: [FW-1] SQL*Net and FW-1
Prev by thread: Re: [FW-1] Checkpoint NG FP2 + PIX VPN Problem
Next by thread: Re: [FW-1] Checkpoint NG FP2 + PIX VPN Problem
Index(es):
- Date
- Thread