Re: [FW-1] SecurClient fails to connect

Thu, 17 Aug 2006 15:48:33 -0700

Since you fortunately have SecureClient, you might need to enable Visitor Mode. Visitor Mode tunnels all of the IPSec protocols through TCP 443 (SSL) and has fixed virtually every instance of failed connects that we have experienced (350 users).
Cheap home routers, hotels that block traffic, you name it, Visitor Mode has gotten through when regular IPSec has not. 


Since you're running Nokia, you MUST move the SSL port of Voyager to 
something other than 443 if you haven't already done so. You will need to 
create a rule allowing HTTPS connections from "any" to the external 
interface ofthe IP530. If you do not do this, you will expose your Voyager 
login page to the entire world.



In your Remote Access Connection Profiles, you'll probably create a new 
profile allowing Visitor Mode.


What version of SecureClient do you use?

Ray



From: "Berg-Olsen, Børge"              <[EMAIL PROTECTED]>

Reply-To: Mailing list for discussion of Firewall-1              
<[email protected]>

To: [email protected]
Subject: Re: [FW-1] SecurClient fails to connect
Date: Thu, 17 Aug 2006 09:29:40 +0200

 > -----Original Message-----
> From: Mark Elsen [mailto:[EMAIL PROTECTED]
> Sent: 16. august 2006 14:51

> > We're having problems with SecurClients running officemode
> > not being able to connect to the firewall.
>
> Which error(s) do they get (exact) ?


When connecting, in the details window of SecureClient, the messages are as 
following:


        Checking network connectivity...
        Preparing connection...
        Connecting to gateway...

Then it takes a long time, and we get:

        Gateway not responding
        Connection failed

In the logviewer of SecureClient we get:

        Connecting to site <name> using profile <name>

Then nothing before:

        Communication with gateway <gateway-name> at site <name> failed.

>
> Anything in the Firewall logs (Smartview tracker) ?


There is nothing in the logs, except a connection from the SecureClient to 
the gateway on port 500/tcp (IKE).



From the gateway to the SecureClient there is nothing in the Smartview 
tracker.



When logging on to the firewall enforcement module and doing a fw monitor I 
get this:


Nokia-IP530-1[admin]#  fw monitor -e "accept src=XXX.XXX.XXX.XXX4;"
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading

Aug 17 09:13:03 Nokia-IP530-1 [LOG_CRIT] kernel: FW-1: monitor filter 
loaded

 monitor: monitoring (control-C to stop)
eth2c0:i[48]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=48 id=2526
TCP: 1098 -> 500 .S.... seq=0a21608c ack=00000000
eth2c0:I[48]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=48 id=2526
TCP: 1098 -> 500 .S.... seq=0a21608c ack=00000000
eth2c0:i[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=40 id=2527
TCP: 1098 -> 500 ....A. seq=0a21608d ack=2db223d3
eth2c0:I[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=40 id=2527
TCP: 1098 -> 500 ....A. seq=0a21608d ack=2db223d3
eth2c0:i[356]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=356 id=2528
TCP: 1098 -> 500 ...PA. seq=0a21608d ack=2db223d3
eth2c0:I[356]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=356 id=2528
TCP: 1098 -> 500 ...PA. seq=0a21608d ack=2db223d3
eth2c0:i[262]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=262 id=2537
TCP: 1098 -> 500 ...PA. seq=0a2161c9 ack=2db22457
eth2c0:I[262]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=262 id=2537
TCP: 1098 -> 500 ...PA. seq=0a2161c9 ack=2db22457
eth2c0:i[116]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=116 id=2542
TCP: 1098 -> 500 ...PA. seq=0a2162a7 ack=2db2250f
eth2c0:I[116]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=116 id=2542
TCP: 1098 -> 500 ...PA. seq=0a2162a7 ack=2db2250f
eth2c0:i[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=40 id=2554
TCP: 1098 -> 500 ....A. seq=0a2162f3 ack=2db228ab
eth2c0:I[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=40 id=2554
TCP: 1098 -> 500 ....A. seq=0a2162f3 ack=2db228ab
eth2c0:i[116]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=116 id=2563
TCP: 1098 -> 500 ...PA. seq=0a2162f3 ack=2db228f7
eth2c0:I[116]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=116 id=2563
TCP: 1098 -> 500 ...PA. seq=0a2162f3 ack=2db228f7
eth2c0:i[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=40 id=2691
TCP: 1098 -> 500 ....A. seq=0a21633f ack=2db228f7
eth2c0:I[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=40 id=2691
TCP: 1098 -> 500 ....A. seq=0a21633f ack=2db228f7
eth2c0:i[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=40 id=2694
TCP: 1098 -> 500 ....A. seq=0a21633f ack=2db228f8
eth2c0:I[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=40 id=2694
TCP: 1098 -> 500 ....A. seq=0a21633f ack=2db228f8
eth2c0:i[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.YYY (TCP) len=40 id=2695
TCP: 1098 -> 500 F...A. seq=0a21633f ack=2db228f8
eth2c0:I[40]: XXX.XXX.XXX.XXX4 -> XXX.XXX.XXX.ZZZ (TCP) len=40 id=2695
TCP: 1098 -> 500 F...A. seq=0a21633f ack=2db228f8

> > If we fail one node over to the other node SecurClients are
> able to connect for a short >while - approx 5-6 minutes -
> then it is impossible to create new SecurClient sessions.
>
>  - What happens, which errors are seen ?


Same as above. Our license is good for 100 concurrent SecureClient users, 
we have defined 709. At no point since reboot of the enforcement modules 
have we had over 14 concurrent users.


Thanks in advance for any help on the matter.

_______________________________________________________

Best regards,

Børge Berg-Olsen
IT Systemkonsulent
Coop Norden AB

[EMAIL PROTECTED]

telefon:  +47 22 89 76 20
mobil:    +47 90 01 75 15
fax:      +47 22 91 71 66

Østre Aker vei 264   |   0977 Oslo

_______________________________________________________


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================














    











					Reply via email to