No, I got around the DCE-RPC problem by setting the SmartDefense setting to monitor only. This is a different problem.
----------------------------------------------- Tony Pombo Systems and Security Architect Edict Systems, Inc. 937-429-4288 x279 [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Thursday, August 18, 2005 6:57 PM To: [email protected] Subject: Re: [FW-1] Windows 2003 SP1 Domain Controllers Any drops on rule 995 or 997? If so, see Active Directory Replication fails through VPN-1/FireWall-1 NG with Application Intelligence R55 after installing Windows 2003 Service Pack 1 Solution ID: #sk30784 It's got to do with a DCE-RPC issue and doesn't mention SmartDefense. Ray >From: Tony Pombo <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: [FW-1] Windows 2003 SP1 Domain Controllers >Date: Wed, 17 Aug 2005 17:45:44 -0400 > >I have two Windows 2003 SP1 Domain Controllers at different sites on the >Internet. Both sides are protected by CheckPoint FW-1 R55W. There is a >site-to-site VPN between the sites. The rules are configured to allow all >traffic between sites. > > > >Problem #1 (fixed): > >The domain controllers cannot replicate Active Directory information >between >them. The firewall's SmartDefense is rejecting the packets. I avoided >this >by setting MS-RPC smart defense to "monitor only". > > > >Problem #2: > >Many packets sent between the domain controllers are dropped by the >firewall >for: "TCP packet out of state: First packet isn't SYN tcp_flags: ACK". I >cannot get the domain controllers to replicate, and my AD tools indicate a >communications issue. > > > >Any ideas? > > > >----------------------------------------------- > >Tony Pombo > >Systems and Security Architect > >Edict Systems, Inc. > >937-429-4288 x279 > >[EMAIL PROTECTED] > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
