Re: [FW-1] Cluster upgrade and SecureClient

Subject:	Re: [FW-1] Cluster upgrade and SecureClient
From:	Mark Elsen <mark.elsen AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 30 Oct 2006 09:24:39 +0100

Hi,



Yesterday we upgraded our Clustered Nokia VRRP pair of IP 530s from IPSO 3.7.1 
and NG R54 to IPSO 4.0 build 30 and NGX R60 HFA02.



Today I can no longer connect to the remote access vpn using SecureClient. When 
I try to create a site I get Error: Communication with site x.x.x.x failed. 
Looking in SmartView Tracker I can see an Accepted entry from my IP for 
FW1_topo (264) but nothing more.



Another user can connect to the vpn with his existing SecureClient policy but 
gets an error during the connection 'unable to communicate with policy server 
on cluster01'.



We upgraded all of the central licenses that were attached to the gateways to 
NGX and re-attached them. A policy server license is attached to one of the 
gateways and the cluster object properties show that the SecureClient Policy 
Server option is selected.



SmartView Tracker is showing that users are still able to connect to the vpn 
and is logging decrypted traffic against usernames.



Does anyone have any ideas?


- We had a similar issue when upgrading to NGX R61 from R60,
the solution was to allow both Firewall's IP's as allowed agenhosts(s)
on our RSA  server which we use for secureclient authentication.

Apparently there was a behavior change, in the sense that from
that release the cluster did not use the cluster IP address when
accessing the RSA server, but now the individual IP's of the cluster members
were used.

Aaaa...H, guess we ow the world the reason why we get paid each month :-)

M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Cluster upgrade and SecureClient, Nick Whitworth [FW-1] RE : [FW-1] Cluster upgrade and SecureClient, Jerome Re: [FW-1] Cluster upgrade and SecureClient, Mark Elsen <= Re: [FW-1] Cluster upgrade and SecureClient, Nick Whitworth Re: [FW-1] Cluster upgrade and SecureClient, Tauseef Khan [FW-1] SmartCenter password (Was: Cluster upgrade and SecureClient), Hugo van der Kooij Re: [FW-1] SmartCenter password (Was: Cluster upgrade and SecureClient), Sergio Alvarez Re: [FW-1] SmartCenter password (Was: Cluster upgrade and SecureClient), Michael J. Semaniuk Re: [FW-1] SmartCenter password (Was: Cluster upgrade and SecureClient), sin Re: [FW-1] SmartCenter password (Was: Cluster upgrade and SecureClient), robby AT cauwerts DOT be

Previous by Date:	Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC, pkc_mls
Next by Date:	Re: [FW-1] Cluster upgrade and SecureClient, Nick Whitworth
Previous by Thread:	[FW-1] RE : [FW-1] Cluster upgrade and SecureClient, Jerome
Next by Thread:	Re: [FW-1] Cluster upgrade and SecureClient, Nick Whitworth
Indexes:	[Date] [Thread] [Top] [All Lists]