[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Securemote crashes Win2k when used at my outlaws house(AT&T is the ISP).

To: [email protected]
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws house(AT&T is the ISP).
From: Russell Washington <[email protected]>
Date: Sat, 28 Dec 2002 10:48:12 -0800
References: <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Alan,

Glad to hear you got the issue resolved.  My guess is still that it's tied
to some issue between the laptop NIC and the cable modem NIC, more than
likely related to speed and/or duplex negotiation.  That's about the only
reasonable explanation I can think of (NIC driver going "what the..?")...
and if that's not it, yeah, it's a little rude to crash the machine just for
plugging into a cable modem.  Maybe SecuRemote doesn't like AT&T on general
principle :)

-Russ

----- Original Message -----
From: "Alan Choyna" <[email protected]>
To: <[email protected]>
Sent: Friday, December 27, 2002 7:39 PM
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws
house(AT&T is the ISP).


Resolved. I added the linksys router and the VPN now works fine.

I was pretty confident that it would work, as l tried my Sonicwall VPN and
could connect fine to another clients site (didn't think of testing it
earlier....doh!), and also from the AT&T document
("https://securebb.att.com/services/products/SecurityQuestions.jhtml;jsessio
nid=ZWWML3X20YLONJMJCVJSFFNFREKVKIV5") sent to me by Raymond Shelton (thanks
Raymond).

So basically Securemote does not like connecting directly to an internet
modem, but rather prefers to go through an intermediate router/FW device.
Crashing the machine is a bit rude though, don't you think?

I could not adjust the autonegotiate properties of the modem to test your
theory David and Russell. It would have been interesting to see if that
would have helped. Thanks very much to both of your for your advice.

I'm guessing that since most people on this list are security conscious,
they would ensure that all internet connections are protected by a Firewall,
so this issue would rarely come up.

Thanks to all for your input. Have a great new year.

Alan

-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Thursday, December 26, 2002 11:51 PM
To: [email protected]
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws
house(AT&T is the ISP).


Here's a thought, following on David's reasoning-- can you force that
Ethernet adapter on the Thinkpad down to 10Mbps (i.e., don't autonegotiate)?

It's been awhile since they were common, but I do recall autonegotiation
issues resulting in weird side effects well off the path from "either it
works or it doesn't," and strangely enough, most of the issues I've seen
have involved a piece of custom-engineered high-end equipment (your IBM in
this case) trying to talk to something sharply lower in the engineering food
chain (that cable modem).

It's a shot in the dark, but my experience says your clarification of the
topology suggests that David might well have been onto something.  Your plan
to introduce an intermediate device would also be telling in its results.

Let us know how it turns out?

----- Original Message -----
From: "Alan Choyna" <[email protected]>
To: <[email protected]>
Sent: Thursday, December 26, 2002 8:20 PM
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws
house(AT&T is the ISP).


Another thing different at this site (apart from the AT&T ISP) is that l am
directly connected to the modem here, while elsewhere l go via a router or
firewall (such as a sonicwall firewall or linksys BEFSR41 router). Could
this contribute in any way to the crashes.

As for hardware issues, l use an Enterprise level IBM ThinkPad x20 with it's
internal ethernet adapter at all locations, and have connected to the
internet via dozens of different networks. This is my first issue ever with
this laptop to do with networking.

Your "windows getting wicked unhappy" scenario may well be close to the
truth.

I am going to buy a router (most likely a Linksys BEFSR41 as l've always had
good experiences with them), and test out whether the laptop does not crash
when not connected directly to the modem (who knows....)

I will report back soon.

Thanks for all input so far. I appreciate it.

Alan.

-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Thursday, December 26, 2002 3:05 PM
To: [email protected]
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws
house (AT&T is the ISP).


Good point on SecuRemote using port 259, wondered about that.  I guess I was
assuming that the IKE/IPSec tunnel was coming up as well, which the original
poster didn't actually say (my bad).

But that particular blue screen-- I've seen driver and hardware issues cause
that, nothing else.  Only thing I can think of is that *maybe* if SecuRemote
gets wicked unhappy trying to bring up the IKE/IPSec tunnel it might do
this, given that it is wired in "down there" next to the driver... but geez,
would that be some crappy design or what... :)

----- Original Message -----
From: "Shelton, Raymond A." <[email protected]>
To: <[email protected]>
Sent: Thursday, December 26, 2002 11:02 AM
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws house
(AT&T is the ISP).


AT&T can block protocols 50 and 51 and/or port 500 to disable an RFC
compliant VPN, but the authentication port for Securemote is TCP Port 259,
which may or may not be blocked.  I personally don't have any machines on an
AT&T network to test/sniff, but that is where I'd go next if I were having
this issue.

I agree that getting a blue screen _because_ of a service port filter is a
stretch, and will hasten to add in closing that I've seen Win.younameit do
some interesting things...

-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Thursday, December 26, 2002 12:23 PM
To: [email protected]
Subject: Re: [FW-1] Securemote crashes Win2k when used at my outlaws
house (AT&T is the ISP).


VPN blocking is just that-- blocking.  As in you get nowhere.  No
authentication, no communication, nothing.  Zip.  Zero.  It's accomplished
by blocking the ports and/or protocols needed to facilitate the connection.

That said, the fact that you can authenticate immediately rules out a
blocking scenario.  You *are* getting a VPN connection established.  If you
were being blocked you wouldn't even get that far.

The fact that it blows up when you actually try to use it is interesting,
but it's unlikely that it's due to the ISP.  They can't see inside the
packet (it's encrypted, that's the whole point) so they can't be responding
to content.  They aren't blowing out you out based on seeing an encrypted
packet, because if they were, you'd get blown out earlier in the game
(authentication time).

Throw in that I have yet to hear of a technique for producing the particular
STOP error you describe via network poking... and... well... you get the
point.

That DRIVER_IRQL_NOT_LESS_THAN error you're getting is a stock Windows
NT/2000 condition that crops up in a lot of different scenarios, most of
them having nothing whatsoever to do with SecuRemote or even with VPNs.
It's generally either a hardware issue, a driver issue, or both.  In your
case I'd be asking whether there was anything unique to that location (a NIC
or instance of same that you use there but nowhere else?) at the hardware or
driver level.

Good luck...
---
Russell Washington, CCSE, CCSA, NCSA
Too many doggoned letters after my name.../

----- Original Message -----
From: "Alan Choyna" <[email protected]>
To: <[email protected]>
Sent: Thursday, December 26, 2002 8:28 AM
Subject: [FW-1] Securemote crashes Win2k when used at my outlaws house (AT&T
is the ISP).


Hey people,

I use my laptop from many locations around the country (therefore multiple
ISP's as well), and Securemote works well everywhere, except for here at my
outlaws house in New Hampshire.

I use Securemote build 4200 with strong encryption, with IKE as the
encryption scheme.

I've heard that ISP's can disable VPN use via their cable lines somehow, to
force users to upgrade to a business package. The ISP they use here in
Kensington New Hampshire is AT&T.

I can authenticate fine, but when l try to access any of the machines within
my network at work, l get the blue screen of death with the following
message (it's only shown for a second so l hope l got it right)
"DRIVER_IRQL_NOT_LESS_THAN".

It happens every single time l use it, and only when using the AT&T cable
line here at my inlaws house.

Is there any way l can work around it? Does anyone know of another ISP
around Kensington, New Hampshire that does not block VPN use?

Thanks in advance,

Alan

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
References:
- Re: [FW-1] Securemote crashes Win2k when used at my outlaws house(AT&T is the ISP).
  - From: Alan Choyna <[email protected]>
Prev by Date: Re: [FW-1] Nokia Cluster not working with SecuRemote/SecuClient
Next by Date: Re: [FW-1] Nokia Cluster not working with SecuRemote/SecuClient
Prev by thread: Re: [FW-1] Securemote crashes Win2k when used at my outlaws house(AT&T is the ISP).
Next by thread: Re: [FW-1] Securemote crashes Win2k when used at my outlaws house(AT&T is the ISP).
Index(es):
- Date
- Thread