Hi there,
I did have a similar problem to yours but I was using NG Feature Pack 3 at
the time
and Nokia VRRP, not clusterXL like yours. Not only the VPN tunnel crumbled,
it
didn't work at atll.
The problem has to do with the VPN concentrator running an older version of
code,
version 3.x, I believe. Once I upgraded the VPN Concentrator to version
4.7.x,
everything is working fine after that. As I recalled, there was also an
issue with
the VPN concentrator messing up the vpn tunnel after phase II timeout expired.
Checkpoint blamed this problem on the VPN concentrator and recommended
upgrading the Cisco firmware (i.e. OS).
Check the VPN concentrator firmware and upgrade to version 4.7.x, if this is
possible.
cisco4ng
Dion-ben Hendriks <D.Hendriks AT INFO.UMCN DOT NL> wrote:
Hi,
We are experiencing problems with one (out of 15) of our VPN tunnels. When the
other side tries to open more then one session, not tunnels, i.e. start a
second ping to a second host, the tunnel crumbles...the performance breaks
down, and I see in my FW-1 log the following message :"IKE: Quick Mode Received
Notification from Peer: invalid spi"
We have a FW-1 R54 HFA-417 Cluster XL in HA Unicast mode the other side is a
Cisco VPN concentrator. When I do cphastop on one (out of 2) cluster nodes
everything seems to work fine...;-(
I tried to set the stickyniss of the cluster to IP's & ports which did not help
also setting to IP's didn't help.
Anybody any idea's?
Dion
-----------------------------------------------------------------------
Dion-ben Hendriks, Netwerkspecialist
UMC St Radboud
Staf Informatievoorziening - ICT in balans
UMC St Radboud / UMC Nijmegen
Route 37 Stafdienst Informatievoorziening
Postbus 9101
6500 HB Nijmegen, The Netherlands
Tel:(+31)/(0) 24 36 19330
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
