We have a Nokia VRRP cluster, running R61 HFA01, with IPSO 4.1 B022. Our clients are attempting to use a Cisco VPN (Software) client (4.6+) to connect to remote (offsite) vendors. Our clients are behind a manual hide NAT. The client will connect, and everything will work for about one to two minutes, then they will get disconnected. The client mentioned that their VPN worked until a few weeks ago. This is when we switched from stand alone Nokia to a VRRP cluster.
The rule to allow Cisco VPN out is: Source: Secure Network (10.x) Dest: Remote Cisco VPN concentrator(s) Service: IKE (UDP500), IKE_NAT_TRAVERSAL (UDP4500) Action: Accept Track: Log In tracker... I see the IKE session go out, ok. Then I see the remote sever, some time later, try to reply via a UDP4500 connection to the NAT address... which goes straight into the Cleanup Rule. According to all of the documentation, and all the FW-1 emails I can find on google, that's the correct configuration above. -- Thanks, E. Recio System going down in 5 minutes. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
