Hi Everybody,
We had a 2 nodes Nokia IP380 Cluster with IPSO 3.8 and Checkpoint NGX R60
and upgraded it last week to a 2 nodes Nokia IP690 Cluster with IPSO 4.2
Build 078 and have installed Checkpoint VPN-1 Power NGX R65 without HFA's.
The nokia cluster is working in forwarding mode and static work assignment
with the failure interval set to 5000ms. The cpu and memory utilization is
normal. At the Checkpoint level we are using Nokia IP Clustering Load
Sharing. We have remote clients which are connecting with Secure Client
using different versions ( R55, R56, R60 ) in office mode and they get IPs
assigned from our central dhcp server. The office mode antispoofing is on
and configured with the network range that can be assigned by the dhcp
server and this network is not used locally and always gets routed through
the Firewall.
Everything went fine, we first upgraded our Smartcenter and then changed
the gateways, but a few days ago we noticed that the VPN connections fail
"sometimes". At the user laptops we see that the tunnel test is failing
but it says that the connection was established successfully.
I have read a lot of SK's and googled around "local interface address
spoofing" and "tunnel test failure" without a lot of success and after
testing a lot of options in the gateway configuration (MEP on/off, Dynamic
Gateway Address Resolution vs Gateway Address Resolution from topology,
etc ) I found that the only way to get the client vpn connections to work
is removing one node from the cluster leaving the other one alone.
At Smartview Tracker I found log entries that state that there is "local
interface address spoofing" and it seems to me that this is happening when
the client establishes the VPN through one gateway but the response is
trying to get out the other one ¿ is that a possible problem ? ¿ shouldnt
the connections be sincronized between the cluster members ?
Number: 13474
Date: 18Apr2008
Time: 13:01:46
Product: VPN-1 Power/UTM
Interface: eth-s1p1c1
Origin: <cluster-node-2-external-ip>
Type: Alert
Action: Drop
Protocol: udp
Service: 10366
Source: <cluster-external-ip>
Destination: <remote-client-public-dsl-ip>
Source Port: IKE_NAT_TRAVERSAL
Information: message_info: Local interface address
spoofing
SmartDefense Profile: Default_Protection
Policy Info: Policy Name: policy1
Created at: Fri Apr 18 12:50:08
2008
Installed from: smartcenter
When this is happening, I try to ping from the remote client a local pc
and I can see with a tcpdump that the packets are arriving to the local pc
with the office mode remote source ip from the remote client and that the
local pc is responding. This response arrives to the firewall and gets
dropped due to the local interface address spoofing ¿?
Thanks a lot in advance for any advice,
Kind Regards,
Eric Janz
--
ADVERTENCIA LEGAL
El contenido de este correo es confidencial y dirigido unicamente a su
destinatario. Para acceder a su clausula de privacidad consulte
http://www.barceloviajes.com/privacy
LEGAL ADVISORY
This message is confidential and intended only for the person or entity to
which it is addressed. In order to read its privacy policy consult it at
http://www.barceloviajes.com/privacy
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
