Nevertheless, I still have a select few users that cannot connect to the
server. The errors are "Update failed" or if creating a new site, they get
timeouts. Strangely in the logs, I don't see any activity of the attempt
to
connect which leads me to believe something is blocking it on their site or
somewhere in the middle.
If you're using Implied Rules to accept the remote access connections, make
sure you're logging the Implied Rules. I think it's off by default.
One particular user has both cable and DSL
connections and could not connect while on DSL. Switching to cable did the
trick. Now that the site has been created, he can successfully reconnect
over DSL. Unfortunately most of my users have only a single broadband
connection.
This is almost always a MTU problem. ADSL using PPPoE adds eight bytes to
the packet, pushing it over the 1,500 byte limit and causing fragmentation.
I don't know if SR does automatic MTU adjustment, but SC does.
I've also seen this exact problem caused by junk home routers. "Junk" as
spelled "DLink." They could hook their computer directly to the Internet
modem, create the site and then go back behind the router and all would be
well.
Is your firewall object specified with the internal interface or the
external interface IP address? It really needs to be the external IP
address.
You don't happen to have SC, do you? Visitor Mode, which tunnels all of the
IPSec protocols over TCP 443, is a real life-saver in situations like this.
We've had many a hotel where they block all outbound traffic except 80 & 443
where Visitor Mode saved the day.
Another fix, if they are semi-technically inclined and have admin access, is
to email them a copy of the userc.C file from a computer that works. They
will need to stop both CheckPoint services, save the file in the correct
folder to overwrite the existing one and re-start the services. If you do
this while the services are running, it won't work. I've used this procedure
on a few computers that were behind junk routers but we could not risk
exposing them to the Internet.
Ray
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
