[FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA

Subject:	[FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 5 Jun 2007 06:34:42 -0700

R1---CPNGxR61-Internet---VPN_device
   
  R1 is sitting behind the CP NGx R61 with HFA_01.
R1 has a private ip address of 10.102.160.36 and
it is one-to-one NAT by the CP firewall to have
a public ip address of 4.2.2.2.
   
  VPN_device sitting on the Internet with public
IP address of 129.174.1.10.  This VPN_device
can be a Cisco router or Checkpoint SPLAT box 
NGx R61 with HFA_01.  The ruleset on the firewall
is wide open between R1 and VPN_device and 
bi-directional.
   
  I am trying to setup a site-2-site vpn between
R1 and VPN_device.  The issue is that I am seeing
about 50% packet loss with the vpn traffics.
Running tcpdump on the firewall, I see 100% of ESP
traffics getting to the CP firewall External
interface but only 50% of ESP traffics exiting
the Internal interface going to R1.  Basically
I am getting about 50% packet loss.  If the 
VPN_device is a cisco device, I can enable
udp 4500 (aka nat-t) on both cisco devices,
I get NO packet loss.  When I switch to ESP, 
I get 50% packet loss, doesn't matter if the 
VPN_device is a cisco or SPLAT box.  Of course
with SPLAT box, I can only do ESP and not udp 4500.
   
  If I replace the CPNGxR61 with CP NG Feature 
Pack 3 with HFA_327, I have NO ESP packet loss
between R1 and the VPN_device.  I also have
NO packet loss when I switch over to udp/4500
(if the VPN_device is a cisco router).
  Anyone has issues with terminnating VPN through
the CP NGx R61 with HFA_01 regarding ESP traffics?
This issue can be easily produced because it happens
to me on multiple set of firewalls during the testing
phase.
   
  Thanks in advance

       
---------------------------------
Got a little couch potato? 
Check out fun summer activities for kids.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics, cisco4ng <= Re: [FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics, Andrej Skamen Re: [FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics, cisco4ng Re: [FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics, Andrej Skamen

Previous by Date:	[FW-1] SecurePlatform stops logging to /var/log/dmesg, Jim Johnson
Next by Date:	Re: [FW-1] Upgrade to R65, Hugo van der Kooij
Previous by Thread:	[FW-1] IP560 throughput ..., Reinhard Stich
Next by Thread:	Re: [FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics, Andrej Skamen
Indexes:	[Date] [Thread] [Top] [All Lists]

[FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_