To add, the only changes being made here are the management rules, all other rules such as vpn remain the same, this is strange as it appears at first glance the policy installs but times out, and no communication can be made from the manager to the firewalls, sic timeout, but when you unload the policy trust works again, sorry to ramble on but I have to resolve this as its getting rather urgent,thanks
On Sun, 19 Jun 2011 16:43 BST Alexey Baltacov wrote: >Hello Peter, >I think you should describe beter the topology, IP addresses, routers >and another layer 3 devices between Provider-1 and NG firewalls, >and also describe better what exact changes were done. >Alexey > >On Sun, Jun 19, 2011 at 6:05 PM, Peter Addy <[email protected]> wrote: >> forgot to mention, these firewalls are currently being managed by a >> Provider-1 >> NGX >> >> >> >> >> >> ________________________________ >> From: Peter Addy <[email protected]> >> To: [email protected] >> Sent: Sat, 18 June, 2011 21:31:51 >> Subject: [FW-1] Please help!!! " Reason: Smart Center Server aborted >> connection with peer, due to timeout = 300000( mili-sec )( port = 18191 ) >> >> guys >> >> Anyone seen this message before! >> >> Reason: Smart Center Server aborted connection with peer, due to timeout = >> 300000( mili-sec )( port = 18191 ) >> >> Basically trying to install a policy on a pair of NG AI R55 firewall from a >> NGX >> R65 manager, the policy times out with the above message. >> >> Strange issue, if I then fwunloadlocal on the firewalls and re-establish SIC, >> trust can be established, but when I push the policy the message appears >> again. >> however I then I log onto the firewalls and do a fw stat, I can see the >> policy >> installed, but I cannot access the firewalls via ssh ,https, and trust >> complains >> >> about communicating, the policy on the firewalls should allow me to do this, >> my >> policy seems fine, but the message is somewhat baffling and I don’t really >> knows >> >> what this is, i fwunloadlocal the policy and trust is ok ???? >> >> Our management server is communicating to firewalls which are on NAT IP's, >> which >> >> are then' NAT''d once leaving the firewalls and presented as the real IP's, >> only >> >> the management IPs of the firewalls are changed on the cluster object, which >> get >> >> translated to the real IP's, no NAT rules are in place and I don’t think >> they ar >> >> needed as NAT is in place on the return path, correct me if I am wrongthat a >> NAT rule has to bed in place ? and anti spoofing is all off and set to >> internal, >> >> >> >> but then why does comms work from the manager to the firewalls when I >> fwunloadlocal, then stop when I install a policy?? >> >> Please help as this is really annoying and rather urgent and I get this >> fixed, >> so appreciate the help,thanks >> >> >> >> ________________________________ >> From: Peter Addy <[email protected]> >> To: [email protected] >> Sent: Thu, 2 June, 2011 7:57:27 >> Subject: Re: [FW-1] vpn and manager >> >> Hey, >> >> Well resetting sic as this will be managed from a new firewall manager, and >> to >> complicate things all interfaces configured are on a 10.x along wit the >> cluster >> ip. So to manage this from our network we have to change the management >> interfaces to our address on the firewall policy object, the other side of >> the >> vpn sees and communicates site to site to this cluster ip 10.x, my thinking >> is >> change the modules and cluster ip to our address just on the policy firewall >> object not hardware, and leave the rest,this is because when we communicate >> to >> the ips of the modules they get natd to the 10.x however the other vpn sees >> it >> as a 10.x so when we do sic and push a new policy my guess this will >> conflict, >> or the fact our ips say are 28.x but are then seen coming across as 10.x, or >> does the firewall object have to match exactly what the interface are on the >> physical boxes, as you can gather a bit of a nightmare, hope this makes sense >> and yup could do with some >> practical advice on how best to achieve this with the same vpn set up but a >> different management set up >> >> On Thu, 02 Jun 2011 07:15 BST Independent IT Consultant wrote: >> >>>If doing an upgrade_export / upgrade_import, it won't be an issue. If a sic >>>reset or new ICA is involved, then yes, you cannot. >>> >>>Why are you resetting SIC? >>> >>>On Tue, May 31, 2011 at 12:52 PM, Peter Addy <[email protected]> wrote: >>> >>>> Thanks, would I be correct in saying that you cannot use the same vpn >>>> certificate for the same vpn, where only the manager smart centre is >>>> changing? >>>> >>>> On Tue, 24 May 2011 17:28 BST David DeSimone wrote: >>>> >>>> >Gary Scott <[email protected]> wrote: >>>> >> >>>> >> VPN's would break right away, as soon as you reset SIC the initial >>>> policy is >>>> >> loaded >>>> > >>>> >One presumes that you would not reset SIC until you are just about to >>>> >install the new policy. >>>> > >>>> > >>>> >> ________________________________ >>>> >> From: David DeSimone <[email protected]> >>>> >> To: [email protected] >>>> >> Sent: Tue, May 24, 2011 8:55:28 AM >>>> >> Subject: Re: [FW-1] vpn and manager >>>> >> >>>> >> VPN's would not break right away. The gateways are in the habit of >>>> >> pre-loading the CRL every 2 hours, so they should have a recent copy of >>>> >> it whenever they need it; the problem is that the expiry lifetime of the >>>> >> CRL is 24 hours at best, which is why that is the maximum time you have >>>> >> to establish new SIC and install a new policy. >>>> >> >>>> >> There is no way to avoid using certificated-based authentication for >>>> >> internally-managed gateways, I believe. It is not an available option >>>> >> to use pre-shared secrets, except with externally-managed peers. >>>> >> >>>> >> >>>> >> Peter Addy <[email protected]> wrote: >>>> >> > >>>> >> > Thanks, now to add a further spin! What if the manager changed and sic >>>> >> > was established with another manager, would the vpns break instantly >>>> >> > or not until a new policy was pushed from the new manager? Basically I >>>> >> > assume there is no real way to keep a vpn intact and hardly any down >>>> >> > time if a ne manager was deployed changing the vpn from cert to pre >>>> >> > shared key, cheers >>>> >> > >>>> >> > >>>> >> > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: >>>> >> > >>>> >> > >Since we just recently had this happen to us on our network, I can >>>> >> > >confirm that this is exactly what happens. >>>> >> > > >>>> >> > >Certificate-based VPN's will fail within 24 hours due to the >>>> gateways' >>>> >> > >inability to load the CRL. >>>> >> > > >>>> >> > >Pre-shared secret VPN's will continue to operate, presumably >>>> >> > >indefinitely. >>>> >> > > >>>> >> > > >>>> >> > >Independent IT Consultant <[email protected]> wrote: >>>> >> > >> >>>> >> > >> It greatly depends on the *type* of VPN. If using certificates >>>> (such >>>> >> > >> as with Edges or other gateways that are centrally managed), then >>>> >> > >> the limiting factor is the CRL expiration on the ICA, which is, by >>>> >> > >> default, 24 hours. In this case, tunnels that can't validate their >>>> >> > >> certificates will fail after that CRL timeout period. Remember, >>>> >> > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours >>>> >> > >> after the SMC went down. With VPNs to external gateways using >>>> shared >>>> >> > >> secret, they may work indefinitely, but I wouldn't guarantee it. >>>> >> > >> >>>> >> > >> >>>> >> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> >>>> wrote: >>>> >> > >> >>>> >> > >> > Curious, Does anyone know how long would vpn's continue to work >>>> if a >>>> >> > >> > smartcenter was down and not available for ? And if they do stop >>>> why >>>> >> > >> > is this so, or do they simply continue to run but changes not can >>>> be >>>> >> > >> > made until the manager was restored? Thanks >>>> > >>>> >-- >>>> >David DeSimone == Network Admin == [email protected] >>>> > "I don't like spinach, and I'm glad I don't, because if I >>>> > liked it I'd eat it, and I just hate it." -- Clarence Darrow >>>> > >>>> > >>>> >This email message is intended for the use of the person to whom it has >>>> been sent, and may contain information that is confidential or legally >>>> protected. If you are not the intended recipient or have received this >>>> message in error, you are not authorized to copy, distribute, or otherwise >>>> use this message or its attachments. Please notify the sender immediately >>>> by >>>> return e-mail and permanently delete this message and any attachments. >>>> Verio, Inc. makes no warranty that this email is error or virus free. >>>> Thank >>>> you. >>>> > >>>> >Scanned by Check Point Total Security Gateway. >>>> > >>>> >================================================= >>>> >To set vacation, Out-Of-Office, or away messages, >>>> >send an email to [email protected] >>>> >in the BODY of the email add: >>>> >set fw-1-mailinglistnomail >>>> >================================================= >>>> >To unsubscribe from this mailing list, >>>> >please see the instructions at >>>> >http://www.checkpoint.com/services/mailing.html >>>> >================================================= >>>> >If you have any questions on how to change your >>>> >subscription options, email >>>> >[email protected] >>>> >================================================= >>>> >>>> >>>> Scanned by Check Point Total Security Gateway. >>>> >>>> ================================================= >>>> To set vacation, Out-Of-Office, or away messages, >>>> send an email to [email protected] >>>> in the BODY of the email add: >>>> set fw-1-mailinglistnomail >>>> ================================================= >>>> To unsubscribe from this mailing list, >>>> please see the instructions at >>>> http://www.checkpoint.com/services/mailing.html >>>> ================================================= >>>> If you have any questions on how to change your >>>> subscription options, email >>>> [email protected] >>>> ================================================= >>>> >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to [email protected] >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>[email protected] >>>================================================= >> >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglistnomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> >> >> Scanned by Check Point Total Security Gateway. >> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> Scanned by Check Point Total Security Gateway. >> > > > >-- >Sincerely, > >Alexey Baltacov >[email protected] | Tel: +972-504989954 > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
