1. Already did. I only see the MDG client host 10.1.1.140 sending reset. 2. NAT setting? NAT on cisco is easy. You don't have to be a rocket scientist to figure it out. As I've said before, it did NOT work with static NAT either.
3. Already did. Did NOT solve anything. 4. Already did. Did NOT solve anything. If you like, I can let you connect to my P-1 over the Internet, yes, over the internet, so that you can see it for yourself. It's a bug however you want to say it. Hugo van der Kooij <[EMAIL PROTECTED]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cisco4ng wrote: > This tcpdump is taken from an P-1 NG AI R55 and it is working. > In other words, the MDG client, host 10.1.1.140, never send > any reset. Therefore, the only logical conclusion I can come up > with is that Checkpoint broke this in NGx. There quite a few things you have not done yet. So either work the issue or stop complaining. But just keeping telling it is broken because it doen not work the way you expect it to work is not very productive. 1. Measure at both ends just to be 230% sure. 2. Test the effect of the NAT setting. Do not assume it is only for Check Point gateways in between. I have seen it changes other aspects of how information is transfered from your SmartCenter by doing some VPN-1 edge debugging for example. The trace could very well idicate that there is initial communication from the MDG to the P-1 system but the client breaks it as it is being told to use another address. (The one you used to define the object as and not the NAT address to which you originally connected.) 3. Test with the explicit client IP address instead of using ANY to define your MDG's. if the previous test did not in fact succeed. 4. Test with an independently managed Check Point gateway as NAT device. I have been playing about a bit with some new features for some new stuff. I will not go into details on them as I agreed with them. But the thing I can tell is that Check Point tries to do more of these test because they find that there is a gap between how Check Point designed things and how it is sometimes used in the field. In at least 1 case I tried to do things in a way they did not anticipated when they started the test but found that most people were doing more or less the way I did it. So yes there are bugs. (Anything over 10 lines of code has them.) There are cases where you have to do things just a bit differently. There are cases where limitation get added as security features which may interfere with old practices. And there are propably plenty of other scenarios as well. If you can do these test and if nothing works you can gather the details and open a case. The better you document your case the better Check Point works them. Keep in mind that you need to be more clearly then you may expect. A lot of Check Point support membersp think in Hebrew or some other language and not in English. So you risk loosing information in the process. In fact I normally do not think in English either but in Dutch. If I am not interrupted or distracted I switch to thinking English in while working on issues like these but if some starts a Dutch conversion 3 feet away I have a hard time no switching back and forth. So I encorage you to do some tests as indicated above and if they fail you should have enough details for a pretty good case. My P-1 test server is propably not finshed for a while as I can only dedicate very limited time to study at the moment. But the hardware is there and ir runs a fresh nstall of Solaris 10. So perhaps getting P-1 up is something I can do in between telephone calls and such. The I can see if NAT is an issue. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHO3m3BvzDRVjxmYERApLSAJ9bhyS/+r8dRHWoU0vhOKWUdkhtDgCfQFX1 SEFkz5xmnOWtNkNIp6QKOWw= =zgOI -----END PGP SIGNATURE----- Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Never miss a thing. Make Yahoo your homepage. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
