[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPNs dying every hour-Secureplatform quirks, internal CA problems, and backup-restore fun
Thanks. I put in my original inquiry secureplatform ng fp3 with hf2. Ended up rebuilding my firewall on a spare machine, and I'm rebuilding my production firewall with AI as we speak. Here are a couple of things I discovered with the newer versions of secureplatform. One, it uses the /etc/sysconfig/netstart to bring up the network interfaces. Two, the /etc/sysconfig/network-scripts/static-routes file doesn't seem to work. Added a script to the startup to enter my routes, but the static routes file doesn't seem to be incorporated any more. My original install had gotten pretty 'dirty', it was an upgrade on top of an upgrade, with a couple of products installed that weren't being used but were tested at one time or another (user authority server, smart reporter etc). Secureplatform comes with a handy 'backup' utility that tars your important files, but if your target machine doesn't have the same programs setup, it'll fail with a 'didn't find the same products installed' error. However, if you look in the tar file that is created during the backup, it has all of your important config files such as /opt/CPfw1_50_03/*, cpshared info, /etc files that matter... You can still get what you need out of them by untarring and copying. We also had problems with our internal CA, and had to blow it away because we couldn't connect with our smart client consoles. Kept getting 'cannot initiate connection, check to make sure server is running'. Ran a check on the internal SIC on the firewall and it was failing. Finally had to manually edit the objects_5_0.C file, remove the certificate for the main firewall object, and run fwm sic_reset. Then used cpconfig to recreate the internal CA with option 7. To reinitialize SIC with our remote modules (have a couple of site to site vpns setup), used the 'cpca_dbutil print InternalCA' command to get common names of devices, then ran 'cpca_client revoke_cert -n cn=(name)' to revoke certs for failing devices. After that, we were able to re-initiate SIC with the modules (ip71s and intrusion pds boxes). Phew. --Original Message----- From: Frank Darden [mailto:[email protected]] Sent: Thursday, July 24, 2003 5:21 PM To: [email protected] Subject: Re: [FW-1] VPNs dying every hour You don't say which version you are running but if its NGAI you may need to turn off fingerprint scrambling. Also, if the enforcement point is defined with its Internal IP address in the General tab, this can also cause all sorts of problems with the VPNs. Try this and see. Frank -----Original Message----- From: O'Brien, James [mailto:[email protected]] Sent: Wednesday, July 23, 2003 9:17 AM To: [email protected] Subject: Re: [FW-1] VPNs dying every hour Nope, not yet. I think I might now though. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, July 22, 2003 6:11 PM To: [email protected] Subject: Re: [FW-1] VPNs dying every hour This topic has been discussed at least a few times on the list. I thought I remember one of the HFA's fixing it. Have you applied any on top of Hotfix-2? -Aaron -----Original Message----- From: O'Brien, James [mailto:[email protected]] Sent: Tuesday, July 22, 2003 2:41 PM To: [email protected] Subject: [FW-1] VPNs dying every hour I have secureplatform, ng fp3 with hf2, and three VPNs that are always active. Every 55-60 minutes, the vpns all drop. I get two noticeable errors in the log: 'encryption fail reason: Packet is dropped because there is no valid SA' 'encryption failure: No response from peer' I've been over every checkpoint article I can find, and have implemented all of their recommendations including turning off aggressive mode, changing firewall objects etc. Has anyone seen this strange behavior before? I understand why the vpns break (no SA), but I don't know why it's doing it... Based on the fact that all of my VPNs break at once, I'm fairly convinced the problem is with my central firewall. All of the remote vpn firewalls are ng fp2 boxes. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|