On Sat, 7 Apr 2007, cisco4ng wrote:
I would have expected the the iBGP session with MD5 authentciation
would not have established between R1 and R2 because the Checkpoint
firewall will randomize the tcp sequence number and it will screw
up the md5 authentication in iBGP. Much to my suprise, it still
works. This tells me that the checkpoint firewall does NOT
randomize the tcp sequence number at all when traversing from
one interface to another interface.
Have you checked Secure Knowledge?
Details on how these action occur are in sk30331.
The only way to tell what it actually does is by capturing both sides and
compare packets. At present you make an assumption here based on what 2
routers do with BGP without the data to tell exactly what is going on.
You may very well be putting Check Point on the wrong foot by not
including the proper data.
And as a side note. The first line of support is used to deal with people
who hardly read the manual. You go over the details with them and make
sure they got sufficient data and take it to the next level.
There is an art to getting Check Point support at the right level. But I
usually get to bug status swiftly enough in most of the cases.
Some rules of thumbs for support questions:
- Get cpinfo output in your initial report.
- Describe it in a way the first line will be able to figure out. (Don't
assume anything. Explain everything.)
- Give them a call about 30 minutes after you logged the call to see who
picked it up and go over it again to make sure they understand you.
(Note that most of them do not use English as first language so some
remarks may get misinterpreted. This is not just Check Point. I have
this some other companies as well.)
Hugo.
--
hvdkooij AT vanderkooij DOT org http://hugo.vanderkooij.org/
This message is using 100% recycled electrons.
Some men see computers as they are and say "Windows"
I use computers with Linux and say "Why Windows?"
(Thanks JFK, for the insight.)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
| 