I think it is our setup...see the rather crude ACSII drawing below.
Internet<--->Router(10.0.1.x)<---->Checkpoint Public Interface(10.0.1.x)eth1
| |
| |
| Checkpoint
DMZ(160.x.x.x)eth2
|
Checkpoint Private (10.0.0.x)eth0
====
Mike x318
"I just know that I know nothing"
Socrates (469-399 B.C.)
-----Original Message-----
From: FWAdmin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 28, 2004 12:18 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] AW: [FW-1] Site-to-site VPN error
Hi Mike,
try running 'vpn tunnelutil' on both firewalls and see if you have valid IKE SA's
and/or IPsec SA's. Try deleting them with this util. They should be renewed as far as
there is traffic for this tunnel. Try debugging vpn via 'vpn debug [on|ikeon]' which
logs to vpnd.elg/ike.elg. Remember to stop debugging via 'vpn debug [off|ikeoff]' ;-)
Have a close look on these logs, maybe you'll find your problem in there.
By the way:
Which OS on what maschine is running? We had the same error when running R55 on an
Solaris 9 Multi-CPU Sun (which is not supported, what we found afterwards :-( ).
Regards
Torsten G�dicke
-----Urspr�ngliche Nachricht-----
Von: Mike Singleton [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 27. April 2004 22:35
An: [EMAIL PROTECTED]
Betreff: [FW-1] Site-to-site VPN error
Any know how to further troubleshoot this, the IKE phase seems to go through, then
this error.
Number: 38800
Date: 27Apr2004
Time: 11:52:25
Product: VPN-1 & FireWall-1
Interface: eth2
Origin: firewall (xx.xxx.xxx.129)
Type: Log
Action: Drop
Service: smtp (25)
Source: mail2.domain.com (xxx.xxx.xxx.131)
Destination: other_site_firewall (xxx.xxx.xxx.103)
Protocol: tcp
Source Port: 65439
Information: encryption fail reason: Packet is dropped because there
is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more
information
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
