Hi all, I'm havings some issues with RSA Ace/Server 5.0 and FW-1 4.1 SP5. Maybe somebody have encountered similar problems and know how things work.
The company I'm working on have a Wide Area Network, consisting of several nordic countries and all ip addresses on WAN are from RFC1918 - private. Each country has a FW-1. Country NO has a RSA Ace/Server 5.0 configured as Primary. Country SE has a RSA Ace/server 5.0 configured as Slave. Each country have their own ip subnet. On each ip subnet the WAN router have a default route to the FW-1. This means that all internet valid addresses are sent to the FW, as well as all RFC1918 addresses not known on WAN. All FWs are on Nokia platforms. I configured the FW in SE to use SecurID: Added it as a UNIX Agent Host on Ace Primary, specified Primary name/ip as the FW external interface and added the other interfaces as Secondary Nodes. I Also assigned acting servers specifying Ace slave as Master and Ace Primary as slave. (The Ace slave is on the same ip subnet as FW internal NIC). Then I created the sdconf.rec and copied it to /var/ace. After first successful authentication with a user with a Key Fob the FW got the encryption secret and saved it as /var/ace/securid However, when I do exactly the same thing on the FW in FI, the first authentication works but it seems like it never gets the secret, there is no securid file. This FW also has the Slave Ace server assigned in sdconf.rec as Primary. On the Ace server log it shows that authentication succeeded and the node secret was sent. Note that this FW are on a different subnet than both Ace servers. A tcpdump on udp port 5500 on the FW shows that packets are sent to Ace slave from the internal ip address on the FW and packets are also received from the Ace server. Question: Might it be so that the node secret are being sent to the ip address specified as Primary in the Ace server Agent Host object? This is the external internet address. Another issue is with the Ace servers, the activity log on both servers shows a lot of errors. Examples: Replica rejecting token modify Error modifying record Error creating record Error deleting record What could be wrong here? Permission issues? Wronly configured replication? (I have not configured the Ace servers...) Grateful for tips and suggestions. -- Timo T. Rajala ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
