[FW-1] Secure remote VPN tunnel brokes

Subject:	[FW-1] Secure remote VPN tunnel brokes
From:	Andras DORN <dorn AT KTK.BME DOT HU>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 27 Nov 2003 00:00:54 +0100

Hi Gurus,

I have a major problem with my running system. I have more than 2k+
Secure
Remote clients with various OSs(w9x-w2k-wXP) and client versions
(FP2-FP3-AI). On the firewall side the running config w2k+SP4, NG Fp2.
Type of encryption method is AES-256 + MD5.


Many times my the clients squawk that our VPNs are unuseable, because
they
can not connect to the server suddenly. I checked my logs and could
separate 2 types of working:

a.) Everything is fine
In the firewall's log:
 1.) Source: clinet Dest: FW Action: key install (QM, Ph2) Key pair: "X"

 2.) Source: clinet Dest: VPNhost Action: decrypt Key pair: "X"
In the client's log:
 1.) Source: client Dest: FW Action: key install (QM, Ph2) Key pair: "X"

 2.) Client uses key "X"

b.) Undetermined time or uncounterable success QM key install
In the firewall's log:
 1.) Source: clinet Dest: FW Action: key install (QM, Ph2) Key pair: "X"

 2.) Source: FW Dest: client Action: key install (QM, Ph2) Key pair: "Y"

 3.) Source: clinet Dest: VPNhost Action: Drop Key pair: X Info:
encryption didn't match the rule
In the client's log:
 1.) Source: FW Dest: client Action: key install (QM, Ph2) Key pair: "Y"

 2.) Source: client Dest: FW Action: key install (QM, Ph2) Key pair: "X"

 3.) Clients trying to use key "X"

In case of "a" everything is OK, the VPN is working fine, but in case
of "b" the VPN tunnel is broken until the next key install (type "a").

Has anybody met this kind of problem? Why the FW send back a new key
install
 to my clients?


Best regards,
_____________________________________________________________________
Dorn Andras dorn AT ktk.bme DOT hu, dorn AT eik.bme DOT hu Andrew Dorn
Budapesti Muszaki Egyetem Technical University of Budapest
Karman Todor Kollegium Karman Todor Student Hostel
---------------------------------------------------------------------

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] About the migration to NG, Edouard Zorrilla [FW-1] Secure remote VPN tunnel brokes, Andras DORN <=

Previous by Date:	[FW-1] About the migration to NG, Edouard Zorrilla
Next by Date:	Re: [FW-1] vpn site-to-site, Eric Tan Keng Siang (FS)
Previous by Thread:	[FW-1] About the migration to NG, Edouard Zorrilla
Next by Thread:	[FW-1] Error Meassge, Haidari, Romal
Indexes:	[Date] [Thread] [Top] [All Lists]