NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] smalloffice license on nokia ip120



Let me take advantage of the situation and ask another question:

is it true that you cannot upgrade licenses in small office appliances to
more hosts?

Regards

Daniel Accioly Rosa
CCSE

-----Original Message-----
From: Hannu Liljemark [mailto:[email protected]]
Sent: quarta-feira, 19 de fevereiro de 2003 08:48
To: [email protected]
Subject: [FW-1] smalloffice license on nokia ip120


Heya folks,

we've got a strange problem with using a SmallOffice license with limit
of 5 ip internal hosts on Nokia IP120 boxes.

Two of our customers have boxes like that on remote locations. Both
systems are installed as FW-1 modules, and they connect to a central
management. With eval licenses they work fine, but as soon as you punch
in the SmallOffice license the VPN dies as FW-1 complains:

VPN-1: Invalid encryption license: encryption license for 5 hosts (5 hosts
allowed)
VPN-1: No license for encryption, disabling encryption features

The firewall functionality seems fine, but as all traffic goes through
the VPN to customers' main office where the servers are, without VPN
the systems are useless (of course we can make it not go through the VPN
but that's not the point). At the moment the problem is solved with a new
eval license.

Before you tell us to check that external interface is defined and FW-1
isn't seeing too many internal hosts or something else basic, here's the
situation in more details, in a somewhat chaotic order but bear with me:

The external interface is defined in external.if. Also both systems have
topology defined correctly via Policy Editor. If they were incorrect, I
guess
we would not see what we're seeing right:

FW-1: setting external interface to eth-s1p1c0

so that looks correct as well.

'fw lichosts' or 'fw tab -t host_table' have never returned more hosts than
it should. Other side has two hosts, other three, behind the Nokia.
So that looks fine, no? We tried 'fw lichosts -x' / 'fw tab -t host_table
-x',
removed fwd.h and fwd.hosts but that didn't have any affect. Of course the
systems were cpstop/cpstart and rebooted in the middle of everything...
several times.

Anyways, wouldn't FW-1 just slow things down and flood the logs with the
'too many internal hosts' messages if something was wrong with that instead
of completely stopping encryption?

# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284

# ifconfig -a
eth-s1p1c0:  flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK>
        inet mtu 1500 .xx.xx./21 broadcast xxx.xx.xx.xxx
        phys eth-s1p1
flags=4173<UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT>
        ether 0:a0:8e:21:6f:9c speed 10M half duplex
eth-s2p1c0:  lname eth-s2p1c0
flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK>
        inet mtu 1500 192.168.105.1/24 broadcast 192.168.105.255
        phys eth-s2p1 flags=4133<UP,LINK,BROADCAST,MULTICAST,PRESENT>
        ether 0:a0:8e:21:6f:9d speed 10M half duplex
eth-s3p1c0:  lname eth-s3p1c0 flags=e4<UP,BROADCAST,MULTICAST,AUTOLINK>
        phys eth-s3p1 flags=4132<UP,BROADCAST,MULTICAST,PRESENT>
        ether 0:a0:8e:21:6f:9e speed 10M half duplex
loop0c0:  flags=57<UP,PHYS_AVAIL,LINK_AVAIL,LOOPBACK,MULTICAST>
        inet6 mtu 63000 ::1 --> ::1
        inet mtu 63000 127.0.0.1 --> 127.0.0.1
        phys loop0 flags=10b<UP,LINK,LOOPBACK,PRESENT>
soverf0:  flags=2923<UP,LINK,MULTICAST,PRESENT,IPV6ONLY>
stof0:  flags=2903<UP,LINK,PRESENT,IPV6ONLY>
tun0:  flags=107<UP,LINK,POINTOPOINT,PRESENT>

Voyager tells CPfw1-50-02 and CPshared-50-02 are in use. They were the
normal
packages, for the correct IPSO release, grabbed from Checkpoint's site.
We're assuming things would be a lot more unusable had we done something
wrong with these basic things.

SecureUpdate tells that both the systems run FP2 + HF2. Looks fine.

We've tried license of both types, central and local, attaching them with
both the command-line tool cplic and via SecureUpdate. Doesn't seem to make
a difference (again, I don't see why it would). Each time the licenses were
installed to both the modules and the central management. The management
actually has a unlimited license as it controls other FW-1 systems as well,
but we installed the smaller license to the management just for the hell of
it
to see that wasn't causing anything. The IP address are correct in the
licenses. Anyway, if the licenses were totally wrong, you'd think even the
firewall part wouldn't work (and it does - just the VPN dies), no?

I've read throught Nokia and Checkpoint knowledge bases for anything even
remotely close to the problem and checked the mailing list archives.
Nothing...

Perhaps the problem is something else and FW-1 decides to give an error like
the one we get. Maybe debugging at the highest level could give usefull
into.
Right now nothing usable seems to appear in $FWDIR/log/*elg that would take
us forward in solving the problem.

I don't suppose it's possible that the SmallOffice license lacks some
feature
that FW-1/VPN would require on Nokia IP120 platform? Or that we have some
strange
option enabled somewhere which causes the encryption disabling? Or that the
objects and rules transfered from the management contain something that
would
require more features in the license, but lack of them leads to the error we
get?
As I said, the management controls also other systems (a HA setup of IP350
boxes
among others). Maybe a long shot... but we're just trying to explore the
possibilities as everything obvious has been checked as far as we can tell.

#cplic print -p
xxx.xxx.xx.xx    never
::CK-1C155AFC190Efw1:5.0:srunlimitfw1:5.0:spcpsfw1:5.0:pamfw1:5.0:enchosts5f
w1:5.0:encryptionfw1:5.0:aesfw1:5.0:strongfw1:5.0:rdpfw1:5.0:desfw1:5.0:isak
mpfw1:5.0:hosts5fw1:5.0:contentfw1:5.0:xlatefw1:5.0:fm

Only thing not tested yet is re-installation of FW-1 packages... and we
don't want to do that yet no matter how simple and easy it is.

Any ideas are welcome.

Thanks in advance.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.