Re: [FW-1] Client to Cisco VPN Disconnect After 1 min

Tue, 17 Jul 2007 17:14:46 -0700

So the Cisco VPN problem we were having went away just as mysteriously as they came. Basically, I recreated the UDP4500 object, and increased the timeout from 40 seconds to 90 seconds. This did not "apparently" fix the problem - when we tested at that time, it was still dropping the VPN connection.
The second thing we tried was enabling SecureXL on the active firewall. This did not help to keep the VPN connection up. However, this had the result of saturating my connections table (25,000) because of the plethora of DNS requests coming from the firewall itself. We removed the DNS server entries from the Nokia, and disabled SecureXL. 


The next morning, VPN was working as expected. The clean-up rule wasn't 
catching the return UDP4500 traffic.


So I guess my questions are:

a) why after turning on and then off, SecureXL would fix the problem.

b) why after turning on SecureXL would there be a lot of connections to 
the DNS server.
c) With 2GB in an IP560, would increasing the max connections to 50,000 
be recommended? We peak typically at around 13,000 - 15,000?


-Elmo

cisco4ng wrote:

I have a similar configuration as yours (nokia vrrp with IPSO 4.1 build 33 and 
NGx R61 with
  HFA_01).  The nokia is being managed by Provider-1 NGx R61 with HFA_01. But 
my is
  working perfectly.  Cisco VPN client behind the firewall can connect to a 
remote Cisco
  Pix firewall without any issues.  However, in my case, I have automatic 
"hide" NAT.
  In other words, I create network 10.x.x.x/x and under the nat properties, I 
specified

  the firewall for "hide" NAT.  I also have flow enable (ipsofwd list with flowpath) and 
  SecureXL enable able as well (fwaccel on).  I don't think it has anything to do with

  flow or SecureXL because it works for me.

   
  Give automatic "hide" NAT and see if it works.


Scott Tobias <[EMAIL PROTECTED]> wrote:
  Are flows on ? I have seen a problem with flows and udp connections. If the
probem goes away with flows disabled call Nokia they have already written a
hot fix for this issue.


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================






















					Reply via email to