Re: [FW-1] Problem with VPN

Subject:	Re: [FW-1] Problem with VPN
From:	David DeSimone <fox AT VERIO DOT NET>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 3 Apr 2007 14:55:17 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julio Bretín Díaz <j.bretin AT UNIWAY DOT ES> wrote:
>
> Encryption fail reason:  Packet is dropped because there is no valid
> SA - please refer to solution sk19423 in SecureKnowledge.

This message is just a side effect of a VPN tunnel failing to be
negotiated.  It nearly always is preceded about 60 seconds earlier in
the log, with an actual message showing the nature of the problem
between the two gateways.

First, double-click the log entry that says "no valid SA", and click
"More information" to show all data field.  Look for the field called
"VPN Peer Gateway", which should give you the IP of the gateway that
would have been used.

Then, filter your log by selecting the local gateway (the one that
generated the log entry) and the remote gateway (that you found in the
above step).  Place these objects into a filter on both the Source and
Destination columns.  This will reduce the noise in the log and only
show you communications between the two gateways.

You should now see the nature of the problem, because these log messages
should show you what is wrong (such as timeout connecting to gateway, or
encryption parameters mismatched, or shared secret invalid, etc).

- -- 
David DeSimone == Network Admin == fox AT verio DOT net
  "It took me fifteen years to discover that I had no
   talent for writing, but I couldn't give it up because
   by that time I was too famous.  -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGErEkFSrKRjX5eCoRAiR0AKClM11cCofOxbcET59FSeS9r6rCIQCffGct
RQ7TLmuVUW5bF6SdaiKpKQI=
=YvCs
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Problem with VPN, Julio Bretín Díaz Re: [FW-1] Problem with VPN, Amadou Toure Re: [FW-1] Problem with VPN, Valencia Taylor Re: [FW-1] Problem with VPN, David DeSimone <= Re: [FW-1] Problem with VPN, Ali Husen Sumantoro Re: [FW-1] Problem with VPN, Julio Bretín Díaz Re: [FW-1] Problem with VPN, Sathya Prakash Re: [FW-1] Problem with VPN, pkc_mls

Previous by Date:	[FW-1] SmartView Reporter R56's service does not start properly, Alexander Simbun
Next by Date:	Re: [FW-1] Floodgate - Nokia or SPLAT, Reinhard Stich
Previous by Thread:	Re: [FW-1] Problem with VPN, Valencia Taylor
Next by Thread:	Re: [FW-1] Problem with VPN, Ali Husen Sumantoro
Indexes:	[Date] [Thread] [Top] [All Lists]