Hello Matthew, Thanks for your reply.
Actually what you are explaining here makes a lot of sense, I'll try it and will let the list know if the issue gets resolved. Regards On Fri, Jun 12, 2009 at 1:07 AM, Matthew Odendaal <[email protected]> wrote: > It sounds like the sofaware box can't handle the amount of tunnels, > because the default configuration on VPN communities is to create a pair > of VPN keys for each subnet. If there are many subnets, that results in > many keys being created which puts extra load on the Sofaware box. > > We previously had similar issues with one of our larger s...@office > deployments. To overcome this, we changed the VPN Tunnel Sharing options > under Tunnel Management to use "One VPN Tunnel per Gateway pair". > > That should reduce the overhead on the s...@office devices somewhat, as > it will only use a single pair of keys to communicate with all subnets > behind the gateway. > > Good luck. > > Matt > > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of Sergio > Alvarez > Sent: 11 June 2009 05:24 PM > To: [email protected] > Subject: [FW-1] Unstable VPN traffic > > Hello, > > I have this very strange issue with a deployment of a VPN-1 (SPLAT R65) > HA > cluster on a main site and ADSL s...@office boxes on several remote > locations, site to site VPNs were configured and the phase 1 negotiation > goes with no issues, but then something wrong is happening with phase 2. > On the remote locations there are only flat networks behind each Sofa > box, > but behind the HA pair of the main location there are lots of different > IP > ranges, which forced the administrator to configure very wide ranges > when > creating the VPN on the Sofa GUI (using the "specify configuration" > option). > What happens is some of the IP ranges behind the VPN-1 HA pair are > reachable > while some are not, you might think it was a config issue or an > overlapping > ip range causing trouble, but suddenly the situation changes and > networks > that were not reachable become reachable and ones that were working fine > stop working. In the same way, moving to the other side, main site ip > ranges > that were able to get to the networks behind the Sofa boxes are no loger > able to do so and some that were failing, sudenly are able to get there. > > The situation occurs not only for one VPN with a Sofa box, but it has > occured with every box they have deployed (5 at this point). They > purchased > 10 of those boxes but stopped the deployment due to these issues and > have > made rollbacks on most of them as the issue makes it almost impossible > for > the poeple on the remote offices to work properly. > > The Tracker on the main site shows all attempts to reach remote networks > as > encrypted (no drops) and on the Sofa logs there are no errors or drops > either. Captures on both sides where taken while doing tests from a > remote > office trying to reach several ip ranges on the main site and apparently > packets to failing networks reach the Sofa but never make it through the > tunnel as are not shown on the main site. > > Has anybody seen something like this? Any help will be very > appreaciated. > > Regards > > > -- > Sergio Alvarez > +(506)88301342 > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
