Hi Chris and Geoff,
We did exactly the same thing on R55, had exactly the same issue, and ended up "fixing" it by turning off anti-spoofing on the WLAN interface as well. We had a case open with Check Point but never really did resolve it.
Ray
From: Chris Hoff <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Using Office Mode from behind additional firewall interface = Tunnel Test failed (-121). Date: Wed, 28 Apr 2004 16:31:43 -0500
We just recently did this. We ran into the same problem, and it came down to address spoofing. I don't remember all the specifics, but when using office mode, the client uses the office mode IP address for all packets. The WLAN interfaces topology is probably set to some other address scheme that does not include this, and therefore it is going to drop it. Unfortunately, if you setup the topology to include the office mode subnet, the external interface may begin to drop traffic because they expect traffic originating from that subnet. I think all we have done to this point is disable anti-spoofing on the WLAN interface. This does pose potential problems, so be careful.
We have not had the time to really sit down and figure out how to implement this with anti-spoofing enabled on that interface, so if anyone has any suggestions, it would be appreciated.
Regards,
Chris
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Geoff Brisbine Sent: Wednesday, April 28, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: [FW-1] Using Office Mode from behind additional firewall interface = Tunnel Test failed (-121).
Greetings, all.
It's my first post to this list, so please bear with me.
We are implementing a WLAN here. The WLAN is sitting on it's own interface on our R55 SecurePlatform box. Due to the 3-5 minute lag of being able to ping via WINS name (whether on the WLAN or from home) I decided to use Office Mode. Most of the WLAN users will also be VPNing in from home via SecureClient.
When I connect up with SecureClient R55 it tells me Tunnel Test failed (-121). When I connect up with SecureClient R56 it tells me that it connected successfully, but it exhibits the identical symptoms to R55. The symptom is that I am unable to hit anything on the trusted side of our firewall.
I researched the Tunnel Test Failed message and followed the step in sk10980 but I still got the Tunnel Test failed. I also set the Office Mode to "Support connectivity enhancement for gateways with multiple external interfaces" without any luck. Has anyone gotten Office Mode to work from a separate interface of the firewall (not external)?
I would be happy to provide any additional information or logs.
Thanks!
Geoff Brisbine | Network Administrator
MI-Assistant - A Division of Fiserv FSC, Inc. 26550 West Mondovi Street | Eleva, WI 54738 Phone: 715.287.4262 | Fax: 715.287.4576
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________
From must-see cities to the best beaches, plan a getaway with the Spring
Travel Guide! http://special.msn.com/local/springtravel.armx
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
