Hello Alexey. I agree with you, it must have something to do with changes in R75. Regrading the client, they are already using the latest SNX version available.
There is in fact a case opened with CP Support since last week but the apparent high amount of cases they are handling right now, plus the complexity of the issue have end up with a very poor response from their side and a very aggravated customer. Today we finally got the engineer in charge to call back for a remote session (calling them has turned in to a "hours on hold" nightmare theses days), but apparently have been working all morning with no success yet. Once again, thanks for your comments. Regards On Thu, Jul 21, 2011 at 9:46 AM, Alexey Baltacov <[email protected]>wrote: > Hello Sergio, > Actually there are lot of things were changed in R75 and R75.10 > versions, that's why things previously were good can stop working now. > The idea about use of endpoint connect needed just in order to > understand if the problem is with client only or with whole FW+VPN > deamon. > In case the problem with client only - debug should be done on client, > possible some new SNX release can solve it. > Hope you have ticket opened with CP support and there is progress in it > Alexey > > On Thu, Jul 21, 2011 at 5:12 PM, Sergio Alvarez <[email protected]> > wrote: > > Hello Alexey. > > > > Thanks for your reply. Actually it was all working perfect before > changing > > version and the idea of changing the advanced settings in H323 to none > was > > something we tried because it has helped in the past to solve VoIP > issues, > > although it did not this time. > > About trying with Endpoint Connect, the deal here is the customer > > especifically acquired SNX licenses because they have hundreds of users > on > > the field requiring remote access to services, and installing a VPN > software > > client on each laptop had become a nightmare. Suggesting to go back to > such > > scenario won't be acceptable for them. > > > > Any further suggestions will be very appreciated. > > > > Regards > > > > On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov <[email protected] > >wrote: > > > >> Hello Sergio, > >> I never seen such problem but... > >> As I know in latest CP versions the worst thing can be done in order > >> to stop voice traffic is changing advanced proto settings to "none". > >> Usually things can help is configuring voice "by the book", with my > >> experience with SIP - it working in 85% of cases. > >> I mean configuring voice domain and etc... > >> One more thing you can try for test - install Endpoint Connect R75.10 > >> and test with it. Generally it is using the same 443 in order to > >> connect, just different client and more options for configuration. > >> Alexey > >> > >> On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez <[email protected]> > >> wrote: > >> > Hello. > >> > > >> > This cutomer of ours has an active/standby SPLAT cluster with SNX > enabled > >> > (bear in mind there is no Connectra involved here), everything worked > >> > perfect until a migration from R70.20 to R75 was done and since then, > SNX > >> > users getting conencted to the cluster can access all services they > used > >> to > >> > with the exception of a VoIP service (H323), they can even ping to the > >> > server related but the application just won't work. No config changes > had > >> > been done since it was working ok. > >> > > >> > Logs show a few drops of H323 traffic from an Office Mode IP, assigned > to > >> a > >> > test user, the drops show no rule related and the info says: "dst > scheme: > >> > NA; dst methods: SSL; route status: Failed to enforce VPN policy (8)" > I > >> > looked for that message and found something similar related with an > >> > encryption problem not related with this scenario. > >> > > >> > Did a zdebug to find out what was dropped and found a few extra > messages > >> > like the ones bellow: > >> > > >> > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 -> > >> > Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce > >> > VPN policy (8); > >> > > >> > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 -> > >> > X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have > >> > to be tunneled; > >> > > >> > Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y > is > >> the > >> > IP of the VoIP server. > >> > > >> > We could not find anything about those either. A case is opened > already > >> with > >> > CP support but no answers have been received and the situation is > >> becoming > >> > more critical as time goes by. > >> > > >> > It was already checked the rule allowing the traffic is specific on > H323 > >> on > >> > the "service" section and also to change to "none" the advanced > >> properties > >> > of the H323 service object, but with no luck. > >> > > >> > Has anybody seen something like this before. > >> > > >> > Any help will be very appreciated. > >> > > >> > -- > >> > Sergio Alvarez > >> > CISSP | CCSE+ > >> > > >> > ================================================= > >> > To set vacation, Out-Of-Office, or away messages, > >> > send an email to [email protected] > >> > in the BODY of the email add: > >> > set fw-1-mailinglist nomail > >> > ================================================= > >> > To unsubscribe from this mailing list, > >> > please see the instructions at > >> > http://www.checkpoint.com/services/mailing.html > >> > ================================================= > >> > If you have any questions on how to change your > >> > subscription options, email > >> > [email protected] > >> > ================================================= > >> > > >> > >> > >> > >> -- > >> Sincerely, > >> > >> Alexey Baltacov > >> [email protected] | Tel: +972-504989954 > >> > >> Scanned by Check Point Total Security Gateway. > >> > >> ================================================= > >> To set vacation, Out-Of-Office, or away messages, > >> send an email to [email protected] > >> in the BODY of the email add: > >> set fw-1-mailinglist nomail > >> ================================================= > >> To unsubscribe from this mailing list, > >> please see the instructions at > >> http://www.checkpoint.com/services/mailing.html > >> ================================================= > >> If you have any questions on how to change your > >> subscription options, email > >> [email protected] > >> ================================================= > >> > >> Scanned by Check Point Total Security Gateway. > >> > > > > > > > > -- > > Sergio Alvarez > > CISSP | CCSE+ > > > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > > > -- > Sincerely, > > Alexey Baltacov > [email protected] | Tel: +972-504989954 > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
