Re: [FW-1] mtu value on checkpoint vpn

Subject:	Re: [FW-1] mtu value on checkpoint vpn
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 28 Apr 2005 04:45:51 -0700

This is what I would do:

1) explicitly set the MTU on the GRE tunel interface to 1400
    interface Tunnel0
    ip address 1.1.1.1 255.255.255.0
    ip mtu 1400
    tunnel source Ethernet0/0
    tunnel destination 1.1.1.1
   end

2) If this still doesn't work, make sure that the PC does NOT have the 
Microsoft patch
MS05-019 installed.  Apparently, this patch on the PC will break the VPN no 
matter
what the MTU you set on the GRE interface.  If this patch is installed on the 
PC,
un-install it.  Read below.

Good luck and let me know how it goes.

http://www.ntbugtraq.com/default.aspx?pid=36&sid=1&A2=ind0504&L=ntbugtraq&T=0&O=D&F=N&P=7001


"After installing the update in Microsoft Security Bulletin MS05-019 on
two servers at a customer site, we are no longer able to connect via VPN
to terminal services on those servers.  (Other servers that did not have
the security bulletins from last Tuesday installed can connect via VPN.)

After many hours over two days working with Microsoft Product Support
Services, we discovered that forcing the MTU size down allowed the
client to connect to terminal services.  Today Microsoft PSS reported
the they have confirmed that there is a problem with ICMP messages being
incorrectly discarded (other have opened PSS cases about this issue).
This could be why the MTU size is not being set correctly.

There will be an update to the patch in MS05-019, but as of this time,
that update is not available.  A Microsoft KB article is being written
and has been assigned the number KB898060, but as to this time, that
article is not publicly available.

I will be uninstalling the update for Security Bulletin MS05-019 from
our customers servers this evening and waiting for the corrected patch
before reinstalling it."




Sena Angelo <angelo.sena AT ATOSORIGIN DOT COM> wrote:
Thank you very much for your reply, and sorry for my replay in late.
Yes, it is a Cisco GRE.
We already have made the your suggestions, but it does not work.
Bye


-----Original Message-----
From: cisco4ng [mailto:cisco4ng AT YAHOO DOT COM]
Sent: mercoledì 27 aprile 2005 12.19
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] mtu value on checkpoint vpn

it can not be done for a single vpn. MTU is an attribute of an interface.
I am assuming
you are doing some kind of GRE routing and encapsulation GRE inside an IPSec
tunnel.
Is this Cisco GRE? The alternative thing to do is to reduce the MTU on the
GRE interface
(cisco will let you do this). That way during the icmp path discovery, you
can be sure
that IPSec will always be less than 1460 therefore, you VPN traffics will
not be fragmented.

Try it and let me know.

cisco4ng

Sena Angelo wrote:
Hi,
I have a problem with the vpn site to site when I use the connection into a
GRE tunnel.
The problem is that if one pc start a vpn connection, if this pc need to
negotiate the MTU value, this is inside the tunnel GRE and cannot be
understood from the other site.
Someone know if is it possible to change the MTU value on the single VPn on
the Checkpoint Firewall-1 firewall? (using some parameter on the policy
rule?).
If I change the MTU value on the single pc, the application works fine, but
I must change the MTU on any pc.
We use a Checkpoint Firewall-1 NG AI R55.
Thanks in advanced.
Ciao

Angelo Sena
Network services

> Atos Origin
Viale Carlo Viola, 76 - 11026 Pont Saint Martin (AO) - Italy

Tel: +39.0125.810.718
Fax: +39.0125.810.340
E-mail: angelo.sena AT atosorigin DOT com

This electronic message contains information from Atos Origin, which may be
privileged and confidential. The information is intended to be use of the
individual(s) or entity named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents
of this information is prohibited.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] mtu value on checkpoint vpn, Sena Angelo Re: [FW-1] mtu value on checkpoint vpn, cisco4ng [FW-1] FYI: R55 HFA-514, Reinhard Stich Re: [FW-1] mtu value on checkpoint vpn, Sena Angelo Re: [FW-1] mtu value on checkpoint vpn, cisco4ng <=

Previous by Date:	Re: [FW-1] /etc/fw.boot/modules/fwkern.conf, cisco4ng
Next by Date:	Re: [FW-1] R: [FW-1] Nokia IP40 VPN site to site tunnel doesn't work, Andrew Smaff Matthews
Previous by Thread:	Re: [FW-1] mtu value on checkpoint vpn, Sena Angelo
Next by Thread:	[FW-1] Routing entries not showing up in routing table, Ade Shoy
Indexes:	[Date] [Thread] [Top] [All Lists]