Re: [FW-1] NGX RX65 and Edge VPN troubles

[no-need to-list [Permanent Link]]

Thanks Ray...
I have been burned few times with the Libsw...and the Edge boxes, that is why I 
check Libsw first.


----- Original Message ----
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: Tuesday, April 10, 2007 5:44:46 AM
Subject: Re: [FW-1] NGX RX65 and Edge VPN troubles


Hi Thomas,

I cannot comment on the specifics you're seeing, however when I took my 
SmartCenter from R55/libsw 7.0.33 to R62/bundled libsw files, it broke my 
Edge boxes. All of them immediately started blocking all traffic the first 
time they grabbed a policy on their own.

I had followed the release notes tip (or maybe it was the upgrade guide tip) 
to copy over the old policy files from the \tmp folder before the first 
SmartCenter reboot, but it didn't make any difference. As soon as I 
installed the 7.0.33 libsw files and pushed the policy, everything started 
working again.

Take care,

Ray


>From: Thomas Nilsen <Thomas.Nilsen AT ROXAR DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1              
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] NGX RX65 and Edge VPN troubles
>Date: Tue, 10 Apr 2007 12:26:46 +0200
>
>We did not update the libsw files. The ones included with R65 has a
>PolicyUpdateVersion=511 while the 7.0.33 release is 516. I don't think
>that should make any difference to the VPN tunnels. It might make a
>difference to the management of the Edge boxes from SmartCenter, but
>unless something has change significantly with 7.0.33 (and thereby
>making all older Edge releases incompatible with R65) I can't see that
>it would change the outcome.
>
>We have tried VPN tunnels, both using integrated as well as stand alone
>edge boxes with manual VPN site setups - which has been running fine for
>years.
>
>So far we have been unsuccessful in getting R65 and Edge to play and had
>to revert to our old R55 production servers again. I'll be ordering a
>new Edge box to play with in a test environment to see if we can
>reproduce the errors.
>
>If you want to upgrade to R65 I would certainly test it together with an
>Edge box first, and test it well. I've also reported the issue to our
>supplier who I hope can take the matter on with Checkpoint.
>
>Thomas
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of no-need
>to-list
>Sent: Saturday, April 07, 2007 1:29 AM
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] NGX RX65 and Edge VPN troubles
>
>Usually there is a LIBSW that need to be upgraded in the Managment
>Server if anything is upgraded with the Edge devices.
>Have you checked that you have the correct LIBSW (this is a directory)
>for your Edge devices on the management server?
>
>Please let us know if you still have a problems with R65, becuase I wil
>postpone my upgrade since we have a lot of Edge Devices too.
>Regards
>
>
>
>----- Original Message ----
>From: Thomas Nilsen <Thomas.Nilsen AT ROXAR DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Sent: Wednesday, April 4, 2007 5:34:15 PM
>Subject: Re: [FW-1] NGX RX65 and Edge VPN troubles
>
>
>As expected, a simplified policy and full integration of the edge
>appliances with smartcenter and VPN communities did not solve this
>issue. The same error still occurs after a few minutes.  Even tried to
>upgrade the Edge firmware to 7.0.33, but to no help.
>
>I suspect this might be a bug in R65 where Edge profiles are
>concerned...
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David
>DeSimone
>Sent: Wednesday, April 04, 2007 11:02 AM
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] NGX RX65 and Edge VPN troubles
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Thomas Nilsen <Thomas.Nilsen AT ROXAR DOT COM> wrote:
> >
> > That would be fine if the VPN tunnels didn't work at all.  But here we
>
> > see most of the traffic passing thru, where only some gets dropped -
> > within the same subnet.
>
>If I remember right, in Traditional mode the hash methods are specified
>on each encrypt rule.  The behavior you see might result from having
>most of your encrypt rules specifying the right method, but one rule is
>specifying another method.
>
>As others have said, VPN Communities avoid this problem entirely.
>
>- --
>David DeSimone == Network Admin == fox AT verio DOT net
>   "It took me fifteen years to discover that I had no
>    talent for writing, but I couldn't give it up because
>    by that time I was too famous.  -- Robert Benchley -----BEGIN PGP
>SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>
>iD8DBQFGE2mAFSrKRjX5eCoRAga8AJ4tV07ww5fCcwDzm+Y3P1w/ikYZuQCdGPwz
>5gPSMApI6Px8WBg4Zib9BLo=
>=+RBW
>-----END PGP SIGNATURE-----
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>DISCLAIMER:
>This message contains information that may be privileged or confidential
>and is the property of the Roxar Group. It is intended only for the
>person to whom it is addressed. If you are not the intended recipient,
>you are not authorised to read, print, retain, copy, disseminate,
>distribute, or use this message or any part thereof. If you receive this
>message in error, please notify the sender immediately and delete all
>copies of this message.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>
>
>________________________________________________________________________
>____________
>Now that's room service!  Choose from over 150,000 hotels in 45,000
>destinations on Yahoo! Travel to find your fit.
>http://farechase.yahoo.com/promo-generic-14795097
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================

_________________________________________________________________
Mortgage rates near historic lows. Refinance $200,000 loan for as low as 
$771/month* 
https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h27f8&disc=y&vers=689&s=4056&p=5117

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


       
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================