Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] smalloffice license on nokia ip120

To: [email protected]
Subject: Re: [FW-1] smalloffice license on nokia ip120
From: Ted Serreyn <[email protected]>
Date: Wed, 19 Feb 2003 20:34:35 -0600
In-reply-to: <[email protected]>
Organization: Serreyn Network Services, LLC
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I wasn't aware that the 120 ran small office.  I thougtht that they only
ran full version of checkpoint?  At least that is what I have been
teaching people.  I believe that you are putting a small office license
of a full version of checkpoint.

Ted Serreyn


On Wed, 2003-02-19 at 09:16, Accioly, Daniel wrote:
> Let me take advantage of the situation and ask another question:
>
> is it true that you cannot upgrade licenses in small office appliances to
> more hosts?
>
> Regards
>
> Daniel Accioly Rosa
> CCSE
>
> -----Original Message-----
> From: Hannu Liljemark [mailto:[email protected]]
> Sent: quarta-feira, 19 de fevereiro de 2003 08:48
> To: [email protected]
> Subject: [FW-1] smalloffice license on nokia ip120
>
>
> Heya folks,
>
> we've got a strange problem with using a SmallOffice license with limit
> of 5 ip internal hosts on Nokia IP120 boxes.
>
> Two of our customers have boxes like that on remote locations. Both
> systems are installed as FW-1 modules, and they connect to a central
> management. With eval licenses they work fine, but as soon as you punch
> in the SmallOffice license the VPN dies as FW-1 complains:
>
> VPN-1: Invalid encryption license: encryption license for 5 hosts (5 hosts
> allowed)
> VPN-1: No license for encryption, disabling encryption features
>
> The firewall functionality seems fine, but as all traffic goes through
> the VPN to customers' main office where the servers are, without VPN
> the systems are useless (of course we can make it not go through the VPN
> but that's not the point). At the moment the problem is solved with a new
> eval license.
>
> Before you tell us to check that external interface is defined and FW-1
> isn't seeing too many internal hosts or something else basic, here's the
> situation in more details, in a somewhat chaotic order but bear with me:
>
> The external interface is defined in external.if. Also both systems have
> topology defined correctly via Policy Editor. If they were incorrect, I
> guess
> we would not see what we're seeing right:
>
> FW-1: setting external interface to eth-s1p1c0
>
> so that looks correct as well.
>
> 'fw lichosts' or 'fw tab -t host_table' have never returned more hosts than
> it should. Other side has two hosts, other three, behind the Nokia.
> So that looks fine, no? We tried 'fw lichosts -x' / 'fw tab -t host_table
> -x',
> removed fwd.h and fwd.hosts but that didn't have any affect. Of course the
> systems were cpstop/cpstart and rebooted in the middle of everything...
> several times.
>
> Anyways, wouldn't FW-1 just slow things down and flood the logs with the
> 'too many internal hosts' messages if something was wrong with that instead
> of completely stopping encryption?
>
> # fw ver
> This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284
>
> # ifconfig -a
> eth-s1p1c0:  flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK>
>         inet mtu 1500 .xx.xx./21 broadcast xxx.xx.xx.xxx
>         phys eth-s1p1
> flags=4173<UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT>
>         ether 0:a0:8e:21:6f:9c speed 10M half duplex
> eth-s2p1c0:  lname eth-s2p1c0
> flags=e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAST,AUTOLINK>
>         inet mtu 1500 192.168.105.1/24 broadcast 192.168.105.255
>         phys eth-s2p1 flags=4133<UP,LINK,BROADCAST,MULTICAST,PRESENT>
>         ether 0:a0:8e:21:6f:9d speed 10M half duplex
> eth-s3p1c0:  lname eth-s3p1c0 flags=e4<UP,BROADCAST,MULTICAST,AUTOLINK>
>         phys eth-s3p1 flags=4132<UP,BROADCAST,MULTICAST,PRESENT>
>         ether 0:a0:8e:21:6f:9e speed 10M half duplex
> loop0c0:  flags=57<UP,PHYS_AVAIL,LINK_AVAIL,LOOPBACK,MULTICAST>
>         inet6 mtu 63000 ::1 --> ::1
>         inet mtu 63000 127.0.0.1 --> 127.0.0.1
>         phys loop0 flags=10b<UP,LINK,LOOPBACK,PRESENT>
> soverf0:  flags=2923<UP,LINK,MULTICAST,PRESENT,IPV6ONLY>
> stof0:  flags=2903<UP,LINK,PRESENT,IPV6ONLY>
> tun0:  flags=107<UP,LINK,POINTOPOINT,PRESENT>
>
> Voyager tells CPfw1-50-02 and CPshared-50-02 are in use. They were the
> normal
> packages, for the correct IPSO release, grabbed from Checkpoint's site.
> We're assuming things would be a lot more unusable had we done something
> wrong with these basic things.
>
> SecureUpdate tells that both the systems run FP2 + HF2. Looks fine.
>
> We've tried license of both types, central and local, attaching them with
> both the command-line tool cplic and via SecureUpdate. Doesn't seem to make
> a difference (again, I don't see why it would). Each time the licenses were
> installed to both the modules and the central management. The management
> actually has a unlimited license as it controls other FW-1 systems as well,
> but we installed the smaller license to the management just for the hell of
> it
> to see that wasn't causing anything. The IP address are correct in the
> licenses. Anyway, if the licenses were totally wrong, you'd think even the
> firewall part wouldn't work (and it does - just the VPN dies), no?
>
> I've read throught Nokia and Checkpoint knowledge bases for anything even
> remotely close to the problem and checked the mailing list archives.
> Nothing...
>
> Perhaps the problem is something else and FW-1 decides to give an error like
> the one we get. Maybe debugging at the highest level could give usefull
> into.
> Right now nothing usable seems to appear in $FWDIR/log/*elg that would take
> us forward in solving the problem.
>
> I don't suppose it's possible that the SmallOffice license lacks some
> feature
> that FW-1/VPN would require on Nokia IP120 platform? Or that we have some
> strange
> option enabled somewhere which causes the encryption disabling? Or that the
> objects and rules transfered from the management contain something that
> would
> require more features in the license, but lack of them leads to the error we
> get?
> As I said, the management controls also other systems (a HA setup of IP350
> boxes
> among others). Maybe a long shot... but we're just trying to explore the
> possibilities as everything obvious has been checked as far as we can tell.
>
> #cplic print -p
> xxx.xxx.xx.xx    never
> ::CK-1C155AFC190Efw1:5.0:srunlimitfw1:5.0:spcpsfw1:5.0:pamfw1:5.0:enchosts5f
> w1:5.0:encryptionfw1:5.0:aesfw1:5.0:strongfw1:5.0:rdpfw1:5.0:desfw1:5.0:isak
> mpfw1:5.0:hosts5fw1:5.0:contentfw1:5.0:xlatefw1:5.0:fm
>
> Only thing not tested yet is re-installation of FW-1 packages... and we
> don't want to do that yet no matter how simple and easy it is.
>
> Any ideas are welcome.
>
> Thanks in advance.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
--
Ted Serreyn
Serreyn Network Services, LLC
http://www.serreyn.com/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] smalloffice license on nokia ip120
  - From: Hannu Liljemark <[email protected]>

References:
- Re: [FW-1] smalloffice license on nokia ip120
  - From: "Accioly, Daniel" <[email protected]>

Prev by Date: Re: [FW-1] SecuRemote Client for FP3
Next by Date: Re: [FW-1] Nokia IPSO cluster - secondary answering arp requests
Previous by thread: Re: [FW-1] smalloffice license on nokia ip120
Next by thread: Re: [FW-1] smalloffice license on nokia ip120
Index(es):
- Date
- Thread