Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok.
Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: "dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8)" I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 -> Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 -> X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the "service" section and also to change to "none" the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
