|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureRemote - NATTing issue??
Thank you Jim, I reviewed the docs for the XP NAT patch and it seems like a very likely source to begin, so I will ask, as I do not think they are aware of this patch. I pressed my client twice now about whether other clients are experiencing the same problem and he said he does not have access but I will press him for a third time, as this is an important question. I also already asked him if there were any personal firewall on the client XP box or if there ever were and he said he would ask - I know this can also cause some serious issues. I don't think PGP is involved but another good question I will forward to him. When the problem occurs, he can still get connection to the Internet. No error logs are showing anything of interest, other than the usual 'drop packets' cannot reach destination (or something that doesn't say anything that offers a lead to an investigation). Jim Laverty <[email protected]> wrote: Chris, A few questions for you: Does the client have the latest XP NAT patch from Microsoft installed? Do other users connect from the client site w/o any problems? If so, are they running the same OS and SR client? Are there any software based firewalls running on the client machine (e.g. BlackICE, Norton Firewall, Zone Alarm, etc)? I have seen PGPNet cause problems with SecureClient on XP. When the problem occurs can he get connectivity to the internet (e.g. can he ping, ssh, telnet mail.. 25, etc to non-internal boxes)? Are any errors logged in the system event log during the anomaly? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Chris Dias Sent: Friday, September 05, 2003 6:58 AM To: [email protected] Subject: [FW-1] SecureRemote - NATTing issue?? Hi Group: Thank you for your support. So far, we have not found a correct solution to this problem so I have condensed the subject and troubleshooting for easier reading to resubmit to this group. The comments and suggestions (from me, you, client) that seemed least likely a culprit have been put at the rear of this document and the more likely put in front. To summarize briefly, the problem is that periodically (several times a day) the VPN malfunctions and starts sending packets to the private IP address from the remote client instead of the public IP, causing packets to be dropped. The problem can be temorarily corrected by either waiting (problem corrects itself), by rebooting, or by deleting and recreating the site definition. It's a Host<->Gateway VPN, from client's boss' home SecuRemote to their Internet firewall. Since his boss is behind a NAT-ing ADSL gateway/firewall, it uses udp encapsulation. What is actually going on is pretty clear, however. If he tcpdumps on the ADSL fw/router in front of the SecuRemote machine, it is quite revealing. While SR is working correctly, it is sending the udp encapsulated IPsec packets to the correct interface of the FW. When it starts misbehaving, it starts trying to send the same packets to the IP address of the internal interface of the firewall (which is, of course, a private IP address: RFC 1918). I have not yet seen any reason why it starts sending to the wrong IP suddenly. Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft), CCNA, CCNP (Cisco). CSE (Novell) Cím:1121 Budapest Fülemile út 12-18 4.ép.3/11. Telefon: 36 1 275-4008 Mobil:06-20/803 9687 [email protected] --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
