We were using IKE with 4.1. How does NG-AI dynamically figure MTU? If it relies on ICMP we block that at our firewall. Also, I understand the reasons one might need to use "IKE over TCP" and UDP encapsulation, but I don't understand why many clients were working with a 4.1 client/gateway and now have to be tweaked with a NG-AI client/gateway. Thanks for your help.
-Aaron -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Pesek Sent: Wednesday, January 28, 2004 3:46 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] SecuRemote problems after migrating 4.1 users to NG-AI Were you using IKE or FWZ on 4.1? MTU size should not be an issue with AI as long as you use an NG AI version of SecuRemote. AI is supposed to negotiate and set the MTU dynamically as opposed to FP3. It sounds like you are actually experiencing the problems posed by home firewalls that use NAT, which is what UDP Encapsulation and IKE over TCP fix. We force it for everyone, but we have SecureClient and can do that with the packaging tool so they can't mess withthe settings. Ray Pesek, CISSP >From: [EMAIL PROTECTED] >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [FW-1] SecuRemote problems after migrating 4.1 users to NG-AI >Date: Wed, 28 Jan 2004 13:49:22 -0700 > >We have an existing 4.1 SP6 firewall and have been migrating users over to >a >new NG-AI firewall. We are experiencing numerous problems with MTU size, >and having to configure clients to use UDP encapsulation and IKE over TCP, >in order to get things working. Why would people be able to work with 4.1, >but switching them to the new NG-AI client, and pointing them to an NG-AI >firewall be problematic. The majority of problem users are DSL or DSL with >some kind of home network. I can understand the potential problems, but >can't figure out why things worked on 4.1. Thanks for any help. > >-Aaron > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Find high-speed 'net deals - comparison-shop your local providers here. https://broadband.msn.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
