[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] smalloffice license on nokia ip120
Let me take advantage of the situation and ask another question: is it true that you cannot upgrade licenses in small office appliances to more hosts? Regards Daniel Accioly Rosa CCSE -----Original Message----- From: Hannu Liljemark [mailto:[email protected]] Sent: quarta-feira, 19 de fevereiro de 2003 08:48 To: [email protected] Subject: [FW-1] smalloffice license on nokia ip120 Heya folks, we've got a strange problem with using a SmallOffice license with limit of 5 ip internal hosts on Nokia IP120 boxes. Two of our customers have boxes like that on remote locations. Both systems are installed as FW-1 modules, and they connect to a central management. With eval licenses they work fine, but as soon as you punch in the SmallOffice license the VPN dies as FW-1 complains: VPN-1: Invalid encryption license: encryption license for 5 hosts (5 hosts allowed) VPN-1: No license for encryption, disabling encryption features The firewall functionality seems fine, but as all traffic goes through the VPN to customers' main office where the servers are, without VPN the systems are useless (of course we can make it not go through the VPN but that's not the point). At the moment the problem is solved with a new eval license. Before you tell us to check that external interface is defined and FW-1 isn't seeing too many internal hosts or something else basic, here's the situation in more details, in a somewhat chaotic order but bear with me: The external interface is defined in external.if. Also both systems have topology defined correctly via Policy Editor. If they were incorrect, I guess we would not see what we're seeing right: FW-1: setting external interface to eth-s1p1c0 so that looks correct as well. 'fw lichosts' or 'fw tab -t host_table' have never returned more hosts than it should. Other side has two hosts, other three, behind the Nokia. So that looks fine, no? We tried 'fw lichosts -x' / 'fw tab -t host_table -x', removed fwd.h and fwd.hosts but that didn't have any affect. Of course the systems were cpstop/cpstart and rebooted in the middle of everything... several times. Anyways, wouldn't FW-1 just slow things down and flood the logs with the 'too many internal hosts' messages if something was wrong with that instead of completely stopping encryption? # fw ver This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284 # ifconfig -a eth-s1p1c0: flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK> inet mtu 1500 .xx.xx./21 broadcast xxx.xx.xx.xxx phys eth-s1p1 flags=4173<UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT> ether 0:a0:8e:21:6f:9c speed 10M half duplex eth-s2p1c0: lname eth-s2p1c0 flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK> inet mtu 1500 192.168.105.1/24 broadcast 192.168.105.255 phys eth-s2p1 flags=4133<UP,LINK,BROADCAST,MULTICAST,PRESENT> ether 0:a0:8e:21:6f:9d speed 10M half duplex eth-s3p1c0: lname eth-s3p1c0 flags=e4<UP,BROADCAST,MULTICAST,AUTOLINK> phys eth-s3p1 flags=4132<UP,BROADCAST,MULTICAST,PRESENT> ether 0:a0:8e:21:6f:9e speed 10M half duplex loop0c0: flags=57<UP,PHYS_AVAIL,LINK_AVAIL,LOOPBACK,MULTICAST> inet6 mtu 63000 ::1 --> ::1 inet mtu 63000 127.0.0.1 --> 127.0.0.1 phys loop0 flags=10b<UP,LINK,LOOPBACK,PRESENT> soverf0: flags=2923<UP,LINK,MULTICAST,PRESENT,IPV6ONLY> stof0: flags=2903<UP,LINK,PRESENT,IPV6ONLY> tun0: flags=107<UP,LINK,POINTOPOINT,PRESENT> Voyager tells CPfw1-50-02 and CPshared-50-02 are in use. They were the normal packages, for the correct IPSO release, grabbed from Checkpoint's site. We're assuming things would be a lot more unusable had we done something wrong with these basic things. SecureUpdate tells that both the systems run FP2 + HF2. Looks fine. We've tried license of both types, central and local, attaching them with both the command-line tool cplic and via SecureUpdate. Doesn't seem to make a difference (again, I don't see why it would). Each time the licenses were installed to both the modules and the central management. The management actually has a unlimited license as it controls other FW-1 systems as well, but we installed the smaller license to the management just for the hell of it to see that wasn't causing anything. The IP address are correct in the licenses. Anyway, if the licenses were totally wrong, you'd think even the firewall part wouldn't work (and it does - just the VPN dies), no? I've read throught Nokia and Checkpoint knowledge bases for anything even remotely close to the problem and checked the mailing list archives. Nothing... Perhaps the problem is something else and FW-1 decides to give an error like the one we get. Maybe debugging at the highest level could give usefull into. Right now nothing usable seems to appear in $FWDIR/log/*elg that would take us forward in solving the problem. I don't suppose it's possible that the SmallOffice license lacks some feature that FW-1/VPN would require on Nokia IP120 platform? Or that we have some strange option enabled somewhere which causes the encryption disabling? Or that the objects and rules transfered from the management contain something that would require more features in the license, but lack of them leads to the error we get? As I said, the management controls also other systems (a HA setup of IP350 boxes among others). Maybe a long shot... but we're just trying to explore the possibilities as everything obvious has been checked as far as we can tell. #cplic print -p xxx.xxx.xx.xx never ::CK-1C155AFC190Efw1:5.0:srunlimitfw1:5.0:spcpsfw1:5.0:pamfw1:5.0:enchosts5f w1:5.0:encryptionfw1:5.0:aesfw1:5.0:strongfw1:5.0:rdpfw1:5.0:desfw1:5.0:isak mpfw1:5.0:hosts5fw1:5.0:contentfw1:5.0:xlatefw1:5.0:fm Only thing not tested yet is re-installation of FW-1 packages... and we don't want to do that yet no matter how simple and easy it is. Any ideas are welcome. Thanks in advance. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|