[FW-1] VPN: Remote module central managed

Corrado Motta Tue, 27 Jul 2010 07:40:42 -0700

I Guru
We need your help.

Situation:
A) All the FW are NGXR65_70 on SPLAT


B) Design:
Mngmnt----------FW (cluster HA)----- Internet---- remoteFW (managet from Mngmnt)

C) NAT Rules
Original Paket
TraslatedPaket                                       Instal ON
remoteFW  --> Mngmnt (ANY)        =Original -> External IP FW (cluster
HA)        remoteFW
Mngmnt ---> remoteFW(ANY)         External IP FW (cluster HA)-->
=Original       FW (cluster HA)
remoteFW(ANY) -->
--> External IP FW (cluster HA)           =Original ->Mngmnt
                                FW (cluster HA)

D) Security Rules:
remoteFW ---> External IP FW (cluster HA) Any Accept  Instal ON
(remoteFW,  FW (cluster HA))
Mngmnt -->FW (cluster HA)                           Any Accept  Instal
ON ( FW (cluster HA))
Any --> remoteFW                                           Any Accept
Instal ON (remoteFW)


Symptoms
In this config I'm seeing the Logs, I'm Managing the remoteFW and the
local without problem.

Now, If I try to configure (initilize) a VPN ("Meshed" or "Star", any diff.)
without changing anything else,
afterI the "Install Policy", I will loose the control of the remoteFW
Maybe do you know why?

Some logs:
Number:         18930
Date:                   today
Product:        System Monitor
Origin:                 Managmnt
Type:                   Alert
Action:                 
Information:    System Alert message: RemoteFW is disconnected
                        Object: RemoteFW
                        Event: Exception
                        Parameter: status_connection
                        Condition: is 8
                        Current value: 8



Number:                         29600
Date:                           today
Product:                        VPN-1 Power/UTM
VPN Feature:                    IKE
Interface:                      daemon
Origin:                         remoteFW
Type:                           Log
Action:                         Key Install
Encryption Scheme:      NA
Information:                    Validation log: Certificate defaultCert
cannot be validated.
                                        Reason: Could not retrieve CRL.
                                        DN: CN=xxxxxxxxxxxxxxxxxxxxxxx3psve6
                                        Instruction: If this log persists,
contact the CA administrator.
Subproduct:                     VPN


And no way to end the "Install Policy Process". To control again the
remote FW, I have to :
- reset the SIC on the remote module
- delete the VPN config on the Mngmnt
- reset the SIC on the Mngmnt and Initialize it gain.

Any Idea?

Tnx in advance
Corrado

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Scanned by Check Point Total Security Gateway.

[FW-1] VPN: Remote module central managed

Reply via email to