| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] VPNs dying every hour-Secureplatform quirks, internal CA problems, and backup-restore fun
- To: [email protected]
- Subject: Re: [FW-1] VPNs dying every hour-Secureplatform quirks, internal CA problems, and backup-restore fun
- From: "O'Brien, James" <[email protected]>
- Date: Fri, 25 Jul 2003 08:24:19 -0500
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Thanks. I put in my original inquiry secureplatform ng fp3 with hf2.
Ended up rebuilding my firewall on a spare machine, and I'm rebuilding my
production firewall with AI as we speak.
Here are a couple of things I discovered with the newer versions of
secureplatform. One, it uses the /etc/sysconfig/netstart to bring up the
network interfaces. Two, the /etc/sysconfig/network-scripts/static-routes
file doesn't seem to work. Added a script to the startup to enter my
routes, but the static routes file doesn't seem to be incorporated any more.
My original install had gotten pretty 'dirty', it was an upgrade on top of
an upgrade, with a couple of products installed that weren't being used but
were tested at one time or another (user authority server, smart reporter
etc). Secureplatform comes with a handy 'backup' utility that tars your
important files, but if your target machine doesn't have the same programs
setup, it'll fail with a 'didn't find the same products installed' error.
However, if you look in the tar file that is created during the backup, it
has all of your important config files such as /opt/CPfw1_50_03/*, cpshared
info, /etc files that matter... You can still get what you need out of them
by untarring and copying. We also had problems with our internal CA, and
had to blow it away because we couldn't connect with our smart client
consoles. Kept getting 'cannot initiate connection, check to make sure
server is running'. Ran a check on the internal SIC on the firewall and it
was failing. Finally had to manually edit the objects_5_0.C file, remove
the certificate for the main firewall object, and run fwm sic_reset. Then
used cpconfig to recreate the internal CA with option 7. To reinitialize
SIC with our remote modules (have a couple of site to site vpns setup), used
the 'cpca_dbutil print InternalCA' command to get common names of devices,
then ran 'cpca_client revoke_cert -n cn=(name)' to revoke certs for failing
devices. After that, we were able to re-initiate SIC with the modules
(ip71s and intrusion pds boxes).
Phew.
--Original Message-----
From: Frank Darden [mailto:[email protected]]
Sent: Thursday, July 24, 2003 5:21 PM
To: [email protected]
Subject: Re: [FW-1] VPNs dying every hour
You don't say which version you are running but if its NGAI you may need
to turn off fingerprint scrambling. Also, if the enforcement point is
defined with its Internal IP address in the General tab, this can also
cause all sorts of problems with the VPNs. Try this and see.
Frank
-----Original Message-----
From: O'Brien, James [mailto:[email protected]]
Sent: Wednesday, July 23, 2003 9:17 AM
To: [email protected]
Subject: Re: [FW-1] VPNs dying every hour
Nope, not yet. I think I might now though.
-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, July 22, 2003 6:11 PM
To: [email protected]
Subject: Re: [FW-1] VPNs dying every hour
This topic has been discussed at least a few times on the list. I
thought I
remember one of the HFA's fixing it. Have you applied any on top of
Hotfix-2?
-Aaron
-----Original Message-----
From: O'Brien, James [mailto:[email protected]]
Sent: Tuesday, July 22, 2003 2:41 PM
To: [email protected]
Subject: [FW-1] VPNs dying every hour
I have secureplatform, ng fp3 with hf2, and three VPNs that are always
active. Every 55-60 minutes, the vpns all drop. I get two noticeable
errors in the log:
'encryption fail reason: Packet is dropped because there is no valid SA'
'encryption failure: No response from peer'
I've been over every checkpoint article I can find, and have implemented
all
of their recommendations including turning off aggressive mode, changing
firewall objects etc. Has anyone seen this strange behavior before? I
understand why the vpns break (no SA), but I don't know why it's doing
it...
Based on the fact that all of my VPNs break at once, I'm fairly
convinced
the problem is with my central firewall. All of the remote vpn
firewalls
are ng fp2 boxes.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
