It sounds like the sofaware box can't handle the amount of tunnels, because the default configuration on VPN communities is to create a pair of VPN keys for each subnet. If there are many subnets, that results in many keys being created which puts extra load on the Sofaware box.
We previously had similar issues with one of our larger s...@office deployments. To overcome this, we changed the VPN Tunnel Sharing options under Tunnel Management to use "One VPN Tunnel per Gateway pair". That should reduce the overhead on the s...@office devices somewhat, as it will only use a single pair of keys to communicate with all subnets behind the gateway. Good luck. Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Sergio Alvarez Sent: 11 June 2009 05:24 PM To: [email protected] Subject: [FW-1] Unstable VPN traffic Hello, I have this very strange issue with a deployment of a VPN-1 (SPLAT R65) HA cluster on a main site and ADSL s...@office boxes on several remote locations, site to site VPNs were configured and the phase 1 negotiation goes with no issues, but then something wrong is happening with phase 2. On the remote locations there are only flat networks behind each Sofa box, but behind the HA pair of the main location there are lots of different IP ranges, which forced the administrator to configure very wide ranges when creating the VPN on the Sofa GUI (using the "specify configuration" option). What happens is some of the IP ranges behind the VPN-1 HA pair are reachable while some are not, you might think it was a config issue or an overlapping ip range causing trouble, but suddenly the situation changes and networks that were not reachable become reachable and ones that were working fine stop working. In the same way, moving to the other side, main site ip ranges that were able to get to the networks behind the Sofa boxes are no loger able to do so and some that were failing, sudenly are able to get there. The situation occurs not only for one VPN with a Sofa box, but it has occured with every box they have deployed (5 at this point). They purchased 10 of those boxes but stopped the deployment due to these issues and have made rollbacks on most of them as the issue makes it almost impossible for the poeple on the remote offices to work properly. The Tracker on the main site shows all attempts to reach remote networks as encrypted (no drops) and on the Sofa logs there are no errors or drops either. Captures on both sides where taken while doing tests from a remote office trying to reach several ip ranges on the main site and apparently packets to failing networks reach the Sofa but never make it through the tunnel as are not shown on the main site. Has anybody seen something like this? Any help will be very appreaciated. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
