I have a similar configuration as yours (nokia vrrp with IPSO 4.1 build 33 and NGx R61 with HFA_01). The nokia is being managed by Provider-1 NGx R61 with HFA_01. But my is working perfectly. Cisco VPN client behind the firewall can connect to a remote Cisco Pix firewall without any issues. However, in my case, I have automatic "hide" NAT. In other words, I create network 10.x.x.x/x and under the nat properties, I specified the firewall for "hide" NAT. I also have flow enable (ipsofwd list with flowpath) and SecureXL enable able as well (fwaccel on). I don't think it has anything to do with flow or SecureXL because it works for me. Give automatic "hide" NAT and see if it works.
Scott Tobias <[EMAIL PROTECTED]> wrote: Are flows on ? I have seen a problem with flows and udp connections. If the probem goes away with flows disabled call Nokia they have already written a hot fix for this issue. On 7/6/07, E. M. Recio wrote: > > We have a Nokia VRRP cluster, running R61 HFA01, with IPSO 4.1 B022. > > Our clients are attempting to use a Cisco VPN (Software) client (4.6+) > to connect to remote (offsite) vendors. Our clients are behind a manual > hide NAT. The client will connect, and everything will work for about > one to two minutes, then they will get disconnected. The client > mentioned that their VPN worked until a few weeks ago. This is when we > switched from stand alone Nokia to a VRRP cluster. > > > The rule to allow Cisco VPN out is: > > Source: Secure Network (10.x) > Dest: Remote Cisco VPN concentrator(s) > Service: IKE (UDP500), IKE_NAT_TRAVERSAL (UDP4500) > Action: Accept > Track: Log > > In tracker... I see the IKE session go out, ok. Then I see the remote > sever, some time later, try to reply via a UDP4500 connection to the NAT > address... which goes straight into the Cleanup Rule. > > According to all of the documentation, and all the FW-1 emails I can > find on google, that's the correct configuration above. > > -- > Thanks, > E. Recio > > System going down in 5 minutes. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Pinpoint customers who are looking for what you sell. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
