[vpn] Checkpoint VPN issue

Carl Friedberg friedberg at exs.esb.com
Fri Nov 16 15:00:01 EST 2001


First stop is www.phoneboy.com, check out the FAQ (there's a section on
troubleshooting Secure Remote connection problems).

Are you running the latest build of the SR1 client? There've been a lot
of changes.

Also, the default TCP connection timeout is ridiculously short, like an
hour. I've changed that to a week (and it could be longer). It is not
directly supportable under FW1 (the field is not big enough for a week's
worth of seconds), so you have to re-enter the high value every time you
make a change that effects this field.

HTH.

Carl Friedberg
carl at comets.com

-----Original Message-----
From: Dante Mercurio [mailto:dmercurio%ccgsecurity.com at fwd.com] 
Sent: Friday, November 16, 2001 10:30 AM
To: VPN (E-mail)
Subject: [vpn] Checkpoint VPN issue


I'm posting this here as noone in the Checkpoint user's group has been
able to respond. Hopefully, someone will have a suggestion:

I have a customer with a Checkpoint Firewall-1 in which SecureRemote VPN
begins to fail after about a week of successful connectivity.

What is strange is that the connection works entirely for about a week,
and then the connection stays active, but various things will not
function. For example, I can ping and telnet to routers and UNIX across
the 'not-fully-functional' VPN, but if I try to hit an Intranet server,
or map a drive to an NT system I get problems. In the case of the web
page, the connection fails, and the drive mapping says the password is
not correct. The problem is not isolated to each VPN connection, as if I
attempt to dial-in and connect from somewhere new, the problem still
exists.

If I reboot the firewall (starting and stoping FW does not seem to
work), all works for about a week, and then it fails again. ANY
suggestions on where to troubleshoot would be GREATLY appreciated.

Environment:
Checkpoint FW module and management module running on Windows 2000 SP1
Firewall-1 ver 4.1 SP3 VPN is UDP encapsulated in order to be compatible
with a customer's Linksys at home.

Item of note: one course of troubleshooting lead us to believe there was
a problem with the BGP Internet router, as clearing the arp table from
that seemed to correct the issue. At this point, however, the customer
states that the only way to have it fully functional again is to reboot
the firewall.

M. Dante Mercurio, CCNA, MCSE+I, CCSA
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com> 
dmercurio at ccgsecurity.com <mailto:dmercurio at ccgsecurity.com> 


> -----Original Message-----
> From: Thierry Blanchard [mailto:thierry_b at ifrance.com]
> Sent: Thursday, October 25, 2001 1:09 AM
> To: VPN (E-mail)
> Subject: [vpn] VPN implementation
> 
> 
> I have a main site with a file server (running NT4 Server)
> behind a firewall
> and a remote site with Win98 clients behind a firewall and 
> using NAT. I'd
> like to give access to the file server to the remote site and I'm
> investigating the different solutions and would like to know 
> your advice.
> 
> My ideas are:
> - Install VPN on both firewall to create a tunnel between the 2 sites.
> - Install VPN on the file server and VPN client on all Win98.
> Then they
> would have to launch the VPN connection each time they want 
> to connect to
> the file server.
> - Can I install VPN on the file server and a VPN client on 
> the firewall
> located on the remote site. (not a good idea to me).
> - I think I can't use IPsec because it's only Win98 clients. right ?
> - What about SSH ?
> 
> Thanks for any idea you could have or any links you could point me to.
> 
> Thierry.
> 
>  
> ______________________________________________________________
> ________________
> ifrance.com, l'email gratuit le plus complet de l'Internet ! vos 
> emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... 
> http://www.ifrance.com/_reloc/email.emailif
> 
> 
> 
> VPN is sponsored by SecurityFocus.com
> 
> 

VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list