Thanks for your replies. We've found the solution which was in the VRRP
properties of each gateway we had to enable the Allow Connections to
VRRP IPs option. Our SecureClients were then able to connect to the
policy server.
Thanks
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Mark
Elsen
Sent: 30 October 2006 08:25
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cluster upgrade and SecureClient
> Hi,
>
>
>
> Yesterday we upgraded our Clustered Nokia VRRP pair of IP 530s from
IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and NGX R60 HFA02.
>
>
>
> Today I can no longer connect to the remote access vpn using
SecureClient. When I try to create a site I get Error: Communication
with site x.x.x.x failed. Looking in SmartView Tracker I can see an
Accepted entry from my IP for FW1_topo (264) but nothing more.
>
>
>
> Another user can connect to the vpn with his existing SecureClient
policy but gets an error during the connection 'unable to communicate
with policy server on cluster01'.
>
>
>
> We upgraded all of the central licenses that were attached to the
gateways to NGX and re-attached them. A policy server license is
attached to one of the gateways and the cluster object properties show
that the SecureClient Policy Server option is selected.
>
>
>
> SmartView Tracker is showing that users are still able to connect to
the vpn and is logging decrypted traffic against usernames.
>
>
>
> Does anyone have any ideas?
>
>
>
- We had a similar issue when upgrading to NGX R61 from R60,
the solution was to allow both Firewall's IP's as allowed agenhosts(s)
on our RSA server which we use for secureclient authentication.
Apparently there was a behavior change, in the sense that from
that release the cluster did not use the cluster IP address when
accessing the RSA server, but now the individual IP's of the cluster
members
were used.
Aaaa...H, guess we ow the world the reason why we get paid each month
:-)
M.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings
with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
