NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Tunnels behaving strangely


  • To: [email protected]
  • Subject: Re: [FW-1] Tunnels behaving strangely
  • From: "La Coursiere, Jeff" <[email protected]>
  • Date: Thu, 24 Jul 2003 17:17:31 +0100
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcNR+XlntRS2GjsdRUmieFXTSHTxFAABU0/Q
  • Thread-topic: [FW-1] Tunnels behaving strangely

One funny thing is that we see collisions on the ingress port on one side, which bothers me because it is connected to a switch.  I don't have access to either endpoint myself, so have queries in to check the duplex settings on the switch and the device.  I also thought the SA's may not be synced, but am told that both endpoints are driven by the same mgmt station, and my understanding is that SA lifetime in 4.1 is a policy-wide parameter rather than a tunnel specific parameter, so they claim there is no way that they could be different with respect to each other.  Is there a command line query that can be run to check?

Thanks,

j

-----Original Message-----
From: Reinhard Stich [mailto:[email protected]]
Sent: 24 July 2003 16:06
To: [email protected]
Subject: Re: [FW-1] Tunnels behaving strangely


At 12:31 24.07.2003 +0100, you wrote:
>Hi Gurus,
>
>Have two sets of two Nokia IP330s (in HA) that support tunnels between two
>sites.  Traffic from B to A flows 24x7 without trouble.  Particular
>traffic from A to B (HTTPS from a server at A to a server at B) seems to
>fail for an hour or slightly more at a time, every few days.  During the
>outage period I have run packet traces at the ingress of the primary IP330
>and see the unencrypted traffic at least destined for itself.  But there
>are no drops or rejects in the log viewer, and the normal 'encrypt' log
>entries are also missing.  After a time (up to two hours) the traffic
>simply begins flowing again normally.  All the while traffic initiated in
>the other direction flows normally.
>
>Can anyone think of any reason for this?

hi,

do you see any error-message on one of the 2 vpn-endpoints?

check the SA-lifetimes.

cheers
reinhard


--
Reinhard Stich,   ASSIST    [email protected]
Internet Security AG, 1190 Wien, Nussdorfer Laende 29-33
Tel: +43 1 370 94 40  RS784-RIPE Fax: +43 1 370 94 40-10

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.