Ray and Chris, Thanks a ton for your help. I turned off the anti-spoofing on the WLAN interface and it worked like a charm.
Chris, can you elaborate on the potential problems associated with turning that off? Thanks again! Geoff. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Pesek Sent: Wednesday, April 28, 2004 8:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Using Office Mode from behind additional firewall interface = Tunnel Test failed (-121). Hi Chris and Geoff, We did exactly the same thing on R55, had exactly the same issue, and ended up "fixing" it by turning off anti-spoofing on the WLAN interface as well. We had a case open with Check Point but never really did resolve it. Ray >From: Chris Hoff <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Using Office Mode from behind additional firewall >interface = Tunnel Test failed (-121). >Date: Wed, 28 Apr 2004 16:31:43 -0500 > >We just recently did this. We ran into the same problem, and it came >down to address spoofing. I don't remember all the specifics, but when >using office mode, the client uses the office mode IP address for all >packets. The WLAN interfaces topology is probably set to some other >address scheme that does not include this, and therefore it is going to >drop it. Unfortunately, if you setup the topology to include the office >mode subnet, the external interface may begin to drop traffic because >they expect traffic originating from that subnet. I think all we have >done to this point is disable anti-spoofing on the WLAN interface. This >does pose potential problems, so be careful. > >We have not had the time to really sit down and figure out how to >implement this with anti-spoofing enabled on that interface, so if >anyone has any suggestions, it would be appreciated. > >Regards, > >Chris > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED] On Behalf Of Geoff >Brisbine >Sent: Wednesday, April 28, 2004 3:25 PM >To: [EMAIL PROTECTED] >Subject: [FW-1] Using Office Mode from behind additional firewall >interface = Tunnel Test failed (-121). > >Greetings, all. > >It's my first post to this list, so please bear with me. > >We are implementing a WLAN here. The WLAN is sitting on it's own >interface on our R55 SecurePlatform box. Due to the 3-5 minute lag of >being able to ping via WINS name (whether on the WLAN or from home) I >decided to use Office Mode. Most of the WLAN users will also be VPNing >in from home via SecureClient. > >When I connect up with SecureClient R55 it tells me Tunnel Test failed >(-121). When I connect up with SecureClient R56 it tells me that it >connected successfully, but it exhibits the identical symptoms to R55. >The symptom is that I am unable to hit anything on the trusted side of >our firewall. > >I researched the Tunnel Test Failed message and followed the step in >sk10980 but I still got the Tunnel Test failed. I also set the Office >Mode to "Support connectivity enhancement for gateways with multiple >external interfaces" without any luck. Has anyone gotten Office Mode >to work from a separate interface of the firewall (not external)? > >I would be happy to provide any additional information or logs. > >Thanks! > >Geoff Brisbine | Network Administrator > >MI-Assistant - A Division of Fiserv FSC, Inc. >26550 West Mondovi Street | Eleva, WI 54738 >Phone: 715.287.4262 | Fax: 715.287.4576 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
