[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] smalloffice license on nokia ip120
I wasn't aware that the 120 ran small office. I thougtht that they only ran full version of checkpoint? At least that is what I have been teaching people. I believe that you are putting a small office license of a full version of checkpoint. Ted Serreyn On Wed, 2003-02-19 at 09:16, Accioly, Daniel wrote: > Let me take advantage of the situation and ask another question: > > is it true that you cannot upgrade licenses in small office appliances to > more hosts? > > Regards > > Daniel Accioly Rosa > CCSE > > -----Original Message----- > From: Hannu Liljemark [mailto:[email protected]] > Sent: quarta-feira, 19 de fevereiro de 2003 08:48 > To: [email protected] > Subject: [FW-1] smalloffice license on nokia ip120 > > > Heya folks, > > we've got a strange problem with using a SmallOffice license with limit > of 5 ip internal hosts on Nokia IP120 boxes. > > Two of our customers have boxes like that on remote locations. Both > systems are installed as FW-1 modules, and they connect to a central > management. With eval licenses they work fine, but as soon as you punch > in the SmallOffice license the VPN dies as FW-1 complains: > > VPN-1: Invalid encryption license: encryption license for 5 hosts (5 hosts > allowed) > VPN-1: No license for encryption, disabling encryption features > > The firewall functionality seems fine, but as all traffic goes through > the VPN to customers' main office where the servers are, without VPN > the systems are useless (of course we can make it not go through the VPN > but that's not the point). At the moment the problem is solved with a new > eval license. > > Before you tell us to check that external interface is defined and FW-1 > isn't seeing too many internal hosts or something else basic, here's the > situation in more details, in a somewhat chaotic order but bear with me: > > The external interface is defined in external.if. Also both systems have > topology defined correctly via Policy Editor. If they were incorrect, I > guess > we would not see what we're seeing right: > > FW-1: setting external interface to eth-s1p1c0 > > so that looks correct as well. > > 'fw lichosts' or 'fw tab -t host_table' have never returned more hosts than > it should. Other side has two hosts, other three, behind the Nokia. > So that looks fine, no? We tried 'fw lichosts -x' / 'fw tab -t host_table > -x', > removed fwd.h and fwd.hosts but that didn't have any affect. Of course the > systems were cpstop/cpstart and rebooted in the middle of everything... > several times. > > Anyways, wouldn't FW-1 just slow things down and flood the logs with the > 'too many internal hosts' messages if something was wrong with that instead > of completely stopping encryption? > > # fw ver > This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284 > > # ifconfig -a > eth-s1p1c0: flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK> > inet mtu 1500 .xx.xx./21 broadcast xxx.xx.xx.xxx > phys eth-s1p1 > flags=4173<UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT> > ether 0:a0:8e:21:6f:9c speed 10M half duplex > eth-s2p1c0: lname eth-s2p1c0 > flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK> > inet mtu 1500 192.168.105.1/24 broadcast 192.168.105.255 > phys eth-s2p1 flags=4133<UP,LINK,BROADCAST,MULTICAST,PRESENT> > ether 0:a0:8e:21:6f:9d speed 10M half duplex > eth-s3p1c0: lname eth-s3p1c0 flags=e4<UP,BROADCAST,MULTICAST,AUTOLINK> > phys eth-s3p1 flags=4132<UP,BROADCAST,MULTICAST,PRESENT> > ether 0:a0:8e:21:6f:9e speed 10M half duplex > loop0c0: flags=57<UP,PHYS_AVAIL,LINK_AVAIL,LOOPBACK,MULTICAST> > inet6 mtu 63000 ::1 --> ::1 > inet mtu 63000 127.0.0.1 --> 127.0.0.1 > phys loop0 flags=10b<UP,LINK,LOOPBACK,PRESENT> > soverf0: flags=2923<UP,LINK,MULTICAST,PRESENT,IPV6ONLY> > stof0: flags=2903<UP,LINK,PRESENT,IPV6ONLY> > tun0: flags=107<UP,LINK,POINTOPOINT,PRESENT> > > Voyager tells CPfw1-50-02 and CPshared-50-02 are in use. They were the > normal > packages, for the correct IPSO release, grabbed from Checkpoint's site. > We're assuming things would be a lot more unusable had we done something > wrong with these basic things. > > SecureUpdate tells that both the systems run FP2 + HF2. Looks fine. > > We've tried license of both types, central and local, attaching them with > both the command-line tool cplic and via SecureUpdate. Doesn't seem to make > a difference (again, I don't see why it would). Each time the licenses were > installed to both the modules and the central management. The management > actually has a unlimited license as it controls other FW-1 systems as well, > but we installed the smaller license to the management just for the hell of > it > to see that wasn't causing anything. The IP address are correct in the > licenses. Anyway, if the licenses were totally wrong, you'd think even the > firewall part wouldn't work (and it does - just the VPN dies), no? > > I've read throught Nokia and Checkpoint knowledge bases for anything even > remotely close to the problem and checked the mailing list archives. > Nothing... > > Perhaps the problem is something else and FW-1 decides to give an error like > the one we get. Maybe debugging at the highest level could give usefull > into. > Right now nothing usable seems to appear in $FWDIR/log/*elg that would take > us forward in solving the problem. > > I don't suppose it's possible that the SmallOffice license lacks some > feature > that FW-1/VPN would require on Nokia IP120 platform? Or that we have some > strange > option enabled somewhere which causes the encryption disabling? Or that the > objects and rules transfered from the management contain something that > would > require more features in the license, but lack of them leads to the error we > get? > As I said, the management controls also other systems (a HA setup of IP350 > boxes > among others). Maybe a long shot... but we're just trying to explore the > possibilities as everything obvious has been checked as far as we can tell. > > #cplic print -p > xxx.xxx.xx.xx never > ::CK-1C155AFC190Efw1:5.0:srunlimitfw1:5.0:spcpsfw1:5.0:pamfw1:5.0:enchosts5f > w1:5.0:encryptionfw1:5.0:aesfw1:5.0:strongfw1:5.0:rdpfw1:5.0:desfw1:5.0:isak > mpfw1:5.0:hosts5fw1:5.0:contentfw1:5.0:xlatefw1:5.0:fm > > Only thing not tested yet is re-installation of FW-1 packages... and we > don't want to do that yet no matter how simple and easy it is. > > Any ideas are welcome. > > Thanks in advance. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= -- Ted Serreyn Serreyn Network Services, LLC http://www.serreyn.com/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|