|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] No SR VPN after upgrade to IPSO 3.6-FCS6 & NG FP3 HF1 HFA_305
try deleting the other firewall from the configuration. I think that this has to do with the new VPN routing code. If you have two firewalls defined, they will both be handed out in the topology, even if you mark one of them as do not export for securemote. I have had this issue in this configuration and when migrating a single firewall to a new gateway cluster. Deleting the old firewall took care of the problem (for securemote). However, I also have problems where the NG clients can only use the firewall for obtaining their topo and the 4.1 clients must still use the management station. If we use the firewall for them all, the 4.1 SR vpns begin to fail. Ted Serreyn On Sun, 2003-02-23 at 08:37, Roelandts, Guy wrote: > Hi all, > > I am wondering if someone has encountered following situation > during his migration, > and of course I'd like to know too how it has been fixed. > > The environment is : > > - Management = Windows Nt 4.0-SP6a + CheckPoint NG FP3 + HF1 + > HFA_305 > - Firewall = Nokia IP440 IPSO 3.6-FCS6 + CheckPoint NG FP3 > + HF1 + HFA_305 > --> this one was coming from 4.1-SP3 ... then NG FP1 > > Due to several other issues we had before, we delayed this upgrade > till now. > > The Firewall is in fact an HA solution, using VRRP MC, on which we > broke the cluster, one > module is still up and running with 4.1 and the second member has been > migrated to the > above mentioned version. > > Since then, when trying to establish a SR VPN with the module we > get following error message: > > dst scheme NA: route status temporary unavailable resources. > > The rule showing this error is the one that should encrypt my SR > connections, I can authenticate, > but the rule rejects the connection, and it is in the clear, not > encrypted !! > > I read article sk16981 in the Check Point knowledge base but they > ask to install HFA_303, but > I installed a higher version HFA_305 !!! > > If nobody has seen this before I think I'll have to downgrade once > more and start upgrading > step by step and after each step test !! > > Thank you for any ideas you might have. > > Met vriendelijke groeten - Bien à vous - Kind regards > Guy ROELANDTS > EMEA GS Internet Expertise Centre - CCSE-NG > Hewlett-Packard Belgium B.V.B.A./S.P.R.L. > E-mail : [email protected] > Tel: +32(02)729.77.44 (options 3 - 3 - 1) > Fax: +32(02)729.77.65 > ========================================================== > This message may contain confidential and/or proprietary information, > and is intended only for the person/entity to whom it was originally > addressed. The content of this message may contain private views and > opinions which do not constitute a formal disclosure or commitment > unless specifically stated. Should you receive this message by mistake > please inform the sender immediately. > ========================================================== > > -- Ted Serreyn Serreyn Network Services, LLC http://www.serreyn.com/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
