Re: [FW-1] Tunnels behaving strangely

Subject:	Re: [FW-1] Tunnels behaving strangely
From:	"La Coursiere, Jeff" <Jeff.LaCoursiere AT T-MOBILE DOT NET>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 24 Jul 2003 17:17:31 +0100

One funny thing is that we see collisions on the ingress port on one side, 
which bothers me because it is connected to a switch.  I don't have access to 
either endpoint myself, so have queries in to check the duplex settings on the 
switch and the device.  I also thought the SA's may not be synced, but am told 
that both endpoints are driven by the same mgmt station, and my understanding 
is that SA lifetime in 4.1 is a policy-wide parameter rather than a tunnel 
specific parameter, so they claim there is no way that they could be different 
with respect to each other.  Is there a command line query that can be run to 
check?

Thanks,

j

-----Original Message-----
From: Reinhard Stich [mailto:r.stich AT INTERNET-SECURITY DOT AT]
Sent: 24 July 2003 16:06
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Tunnels behaving strangely


At 12:31 24.07.2003 +0100, you wrote:
>Hi Gurus,
>
>Have two sets of two Nokia IP330s (in HA) that support tunnels between two
>sites.  Traffic from B to A flows 24x7 without trouble.  Particular
>traffic from A to B (HTTPS from a server at A to a server at B) seems to
>fail for an hour or slightly more at a time, every few days.  During the
>outage period I have run packet traces at the ingress of the primary IP330
>and see the unencrypted traffic at least destined for itself.  But there
>are no drops or rejects in the log viewer, and the normal 'encrypt' log
>entries are also missing.  After a time (up to two hours) the traffic
>simply begins flowing again normally.  All the while traffic initiated in
>the other direction flows normally.
>
>Can anyone think of any reason for this?

hi,

do you see any error-message on one of the 2 vpn-endpoints?

check the SA-lifetimes.

cheers
reinhard


--
Reinhard Stich,   ASSIST    R.Stich AT internet-security DOT at
Internet Security AG, 1190 Wien, Nussdorfer Laende 29-33
Tel: +43 1 370 94 40  RS784-RIPE Fax: +43 1 370 94 40-10

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Tunnels behaving strangely, La Coursiere, Jeff Re: [FW-1] Tunnels behaving strangely, Reinhard Stich Re: [FW-1] Tunnels behaving strangely, La Coursiere, Jeff <=

Previous by Date:	Re: [FW-1] NG on Multiple Processors, Bill Mathews
Next by Date:	Re: [FW-1] Nokia clustering, Wally Hughes
Previous by Thread:	Re: [FW-1] Tunnels behaving strangely, Reinhard Stich
Next by Thread:	[FW-1] NG on Multiple Processors, Uthaya Sankar A (IT Services) - CTD, Chennai.
Indexes:	[Date] [Thread] [Top] [All Lists]