Hello Peter, I think you should describe beter the topology, IP addresses, routers and another layer 3 devices between Provider-1 and NG firewalls, and also describe better what exact changes were done. Alexey
On Sun, Jun 19, 2011 at 6:05 PM, Peter Addy <[email protected]> wrote: > forgot to mention, these firewalls are currently being managed by a Provider-1 > NGX > > > > > > ________________________________ > From: Peter Addy <[email protected]> > To: [email protected] > Sent: Sat, 18 June, 2011 21:31:51 > Subject: [FW-1] Please help!!! " Reason: Smart Center Server aborted > connection with peer, due to timeout = 300000( mili-sec )( port = 18191 ) > > guys > > Anyone seen this message before! > > Reason: Smart Center Server aborted connection with peer, due to timeout = > 300000( mili-sec )( port = 18191 ) > > Basically trying to install a policy on a pair of NG AI R55 firewall from a > NGX > R65 manager, the policy times out with the above message. > > Strange issue, if I then fwunloadlocal on the firewalls and re-establish SIC, > trust can be established, but when I push the policy the message appears > again. > however I then I log onto the firewalls and do a fw stat, I can see the policy > installed, but I cannot access the firewalls via ssh ,https, and trust > complains > > about communicating, the policy on the firewalls should allow me to do this, > my > policy seems fine, but the message is somewhat baffling and I don’t really > knows > > what this is, i fwunloadlocal the policy and trust is ok ???? > > Our management server is communicating to firewalls which are on NAT IP's, > which > > are then' NAT''d once leaving the firewalls and presented as the real IP's, > only > > the management IPs of the firewalls are changed on the cluster object, which > get > > translated to the real IP's, no NAT rules are in place and I don’t think they > ar > > needed as NAT is in place on the return path, correct me if I am wrongthat a > NAT rule has to bed in place ? and anti spoofing is all off and set to > internal, > > > > but then why does comms work from the manager to the firewalls when I > fwunloadlocal, then stop when I install a policy?? > > Please help as this is really annoying and rather urgent and I get this fixed, > so appreciate the help,thanks > > > > ________________________________ > From: Peter Addy <[email protected]> > To: [email protected] > Sent: Thu, 2 June, 2011 7:57:27 > Subject: Re: [FW-1] vpn and manager > > Hey, > > Well resetting sic as this will be managed from a new firewall manager, and to > complicate things all interfaces configured are on a 10.x along wit the > cluster > ip. So to manage this from our network we have to change the management > interfaces to our address on the firewall policy object, the other side of the > vpn sees and communicates site to site to this cluster ip 10.x, my thinking is > change the modules and cluster ip to our address just on the policy firewall > object not hardware, and leave the rest,this is because when we communicate to > the ips of the modules they get natd to the 10.x however the other vpn sees it > as a 10.x so when we do sic and push a new policy my guess this will conflict, > or the fact our ips say are 28.x but are then seen coming across as 10.x, or > does the firewall object have to match exactly what the interface are on the > physical boxes, as you can gather a bit of a nightmare, hope this makes sense > and yup could do with some > practical advice on how best to achieve this with the same vpn set up but a > different management set up > > On Thu, 02 Jun 2011 07:15 BST Independent IT Consultant wrote: > >>If doing an upgrade_export / upgrade_import, it won't be an issue. If a sic >>reset or new ICA is involved, then yes, you cannot. >> >>Why are you resetting SIC? >> >>On Tue, May 31, 2011 at 12:52 PM, Peter Addy <[email protected]> wrote: >> >>> Thanks, would I be correct in saying that you cannot use the same vpn >>> certificate for the same vpn, where only the manager smart centre is >>> changing? >>> >>> On Tue, 24 May 2011 17:28 BST David DeSimone wrote: >>> >>> >Gary Scott <[email protected]> wrote: >>> >> >>> >> VPN's would break right away, as soon as you reset SIC the initial >>> policy is >>> >> loaded >>> > >>> >One presumes that you would not reset SIC until you are just about to >>> >install the new policy. >>> > >>> > >>> >> ________________________________ >>> >> From: David DeSimone <[email protected]> >>> >> To: [email protected] >>> >> Sent: Tue, May 24, 2011 8:55:28 AM >>> >> Subject: Re: [FW-1] vpn and manager >>> >> >>> >> VPN's would not break right away. The gateways are in the habit of >>> >> pre-loading the CRL every 2 hours, so they should have a recent copy of >>> >> it whenever they need it; the problem is that the expiry lifetime of the >>> >> CRL is 24 hours at best, which is why that is the maximum time you have >>> >> to establish new SIC and install a new policy. >>> >> >>> >> There is no way to avoid using certificated-based authentication for >>> >> internally-managed gateways, I believe. It is not an available option >>> >> to use pre-shared secrets, except with externally-managed peers. >>> >> >>> >> >>> >> Peter Addy <[email protected]> wrote: >>> >> > >>> >> > Thanks, now to add a further spin! What if the manager changed and sic >>> >> > was established with another manager, would the vpns break instantly >>> >> > or not until a new policy was pushed from the new manager? Basically I >>> >> > assume there is no real way to keep a vpn intact and hardly any down >>> >> > time if a ne manager was deployed changing the vpn from cert to pre >>> >> > shared key, cheers >>> >> > >>> >> > >>> >> > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: >>> >> > >>> >> > >Since we just recently had this happen to us on our network, I can >>> >> > >confirm that this is exactly what happens. >>> >> > > >>> >> > >Certificate-based VPN's will fail within 24 hours due to the >>> gateways' >>> >> > >inability to load the CRL. >>> >> > > >>> >> > >Pre-shared secret VPN's will continue to operate, presumably >>> >> > >indefinitely. >>> >> > > >>> >> > > >>> >> > >Independent IT Consultant <[email protected]> wrote: >>> >> > >> >>> >> > >> It greatly depends on the *type* of VPN. If using certificates >>> (such >>> >> > >> as with Edges or other gateways that are centrally managed), then >>> >> > >> the limiting factor is the CRL expiration on the ICA, which is, by >>> >> > >> default, 24 hours. In this case, tunnels that can't validate their >>> >> > >> certificates will fail after that CRL timeout period. Remember, >>> >> > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours >>> >> > >> after the SMC went down. With VPNs to external gateways using >>> shared >>> >> > >> secret, they may work indefinitely, but I wouldn't guarantee it. >>> >> > >> >>> >> > >> >>> >> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> >>> wrote: >>> >> > >> >>> >> > >> > Curious, Does anyone know how long would vpn's continue to work >>> if a >>> >> > >> > smartcenter was down and not available for ? And if they do stop >>> why >>> >> > >> > is this so, or do they simply continue to run but changes not can >>> be >>> >> > >> > made until the manager was restored? Thanks >>> > >>> >-- >>> >David DeSimone == Network Admin == [email protected] >>> > "I don't like spinach, and I'm glad I don't, because if I >>> > liked it I'd eat it, and I just hate it." -- Clarence Darrow >>> > >>> > >>> >This email message is intended for the use of the person to whom it has >>> been sent, and may contain information that is confidential or legally >>> protected. If you are not the intended recipient or have received this >>> message in error, you are not authorized to copy, distribute, or otherwise >>> use this message or its attachments. Please notify the sender immediately by >>> return e-mail and permanently delete this message and any attachments. >>> Verio, Inc. makes no warranty that this email is error or virus free. Thank >>> you. >>> > >>> >Scanned by Check Point Total Security Gateway. >>> > >>> >================================================= >>> >To set vacation, Out-Of-Office, or away messages, >>> >send an email to [email protected] >>> >in the BODY of the email add: >>> >set fw-1-mailinglistnomail >>> >================================================= >>> >To unsubscribe from this mailing list, >>> >please see the instructions at >>> >http://www.checkpoint.com/services/mailing.html >>> >================================================= >>> >If you have any questions on how to change your >>> >subscription options, email >>> >[email protected] >>> >================================================= >>> >>> >>> Scanned by Check Point Total Security Gateway. >>> >>> ================================================= >>> To set vacation, Out-Of-Office, or away messages, >>> send an email to [email protected] >>> in the BODY of the email add: >>> set fw-1-mailinglistnomail >>> ================================================= >>> To unsubscribe from this mailing list, >>> please see the instructions at >>> http://www.checkpoint.com/services/mailing.html >>> ================================================= >>> If you have any questions on how to change your >>> subscription options, email >>> [email protected] >>> ================================================= >>> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [email protected] >>in the BODY of the email add: >>set fw-1-mailinglistnomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[email protected] >>================================================= > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglistnomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sincerely, Alexey Baltacov [email protected] | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
