You can try using srfw monitor It is located in the bin directory of your securemote installation. Maybe you can debug your problem with the client.
Best Regards, Lino E. Avila -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Viernes, 30 de Diciembre de 2005 09:16 p.m. To: [email protected] Subject: Re: [FW-1] Cannot connect with SecuRemote (SR) >Nevertheless, I still have a select few users that cannot connect to the >server. The errors are "Update failed" or if creating a new site, they get >timeouts. Strangely in the logs, I don't see any activity of the attempt >to >connect which leads me to believe something is blocking it on their site or >somewhere in the middle. If you're using Implied Rules to accept the remote access connections, make sure you're logging the Implied Rules. I think it's off by default. >One particular user has both cable and DSL >connections and could not connect while on DSL. Switching to cable did the >trick. Now that the site has been created, he can successfully reconnect >over DSL. Unfortunately most of my users have only a single broadband >connection. This is almost always a MTU problem. ADSL using PPPoE adds eight bytes to the packet, pushing it over the 1,500 byte limit and causing fragmentation. I don't know if SR does automatic MTU adjustment, but SC does. I've also seen this exact problem caused by junk home routers. "Junk" as spelled "DLink." They could hook their computer directly to the Internet modem, create the site and then go back behind the router and all would be well. Is your firewall object specified with the internal interface or the external interface IP address? It really needs to be the external IP address. You don't happen to have SC, do you? Visitor Mode, which tunnels all of the IPSec protocols over TCP 443, is a real life-saver in situations like this. We've had many a hotel where they block all outbound traffic except 80 & 443 where Visitor Mode saved the day. Another fix, if they are semi-technically inclined and have admin access, is to email them a copy of the userc.C file from a computer that works. They will need to stop both CheckPoint services, save the file in the correct folder to overwrite the existing one and re-start the services. If you do this while the services are running, it won't work. I've used this procedure on a few computers that were behind junk routers but we could not risk exposing them to the Internet. Ray ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
