Hello, thanks for the hints. Now I've tried the hotfix 2 SecuRemote Client and it looks like that it works longer than only ten minutes. I've never changed anything on the firewall :)
/Micha Borrmann
Check to make sure that your client encrypt rule comes after your IKE rule. We had this same problem. If it is not, the phase two renegotiation fails, which happens 10 minutes from the initial negotiation. It is documented in a knowledgebase article. Let me know if this helps. -Aaron -----Original Message----- From: Frank Darden [mailto:fdarden@;LOCKED.COM] Sent: Tuesday, October 22, 2002 4:51 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] encryption failure: Packet is dropped as there is no valid SA This is a wild guess, but I have seen this before, and its well documented on the list. By any chance, have you defined the firewalls object with its internal IP address? The 10 minute thing is what gives this away.... Frank Darden Mission Critical Systems Check Point Premier, ATC, CSP 954-766-2550 -----Original Message----- From: Micha Borrmann [mailto:borrmann@;SYSS.DE] Sent: Tuesday, October 22, 2002 9:34 AM To: [EMAIL PROTECTED]
I've a strange problem with one NG FP2 installation (running on Linux) and SecuRemote/SecureClient. After authentication with IKE everything is ok, but few minutes later the encrypted tunnel is dropped. This is after about 10 Minutes. I've seen only one entry in the logfile with a dropped packet, but no source and destination is written in the log. I see only "encryption failure: Packet is dropped as there is no valid SA" in the info field. In the SecureClients Diagnostics I've seen a similar entry too: "encryption failure:: Packet is dropped as there is no valid SA"
-- Micha Borrmann Tel: +49 7071 407856-16 Security Consultant Fax: +49 7071 407856-19 syss System Security handy: +49 173 51 228 67 Friedrich-Dannenmann-Str. 2 mail: [EMAIL PROTECTED] D-72070 Tuebingen http://www.syss.de/ Key fingerprint = CB95 DA11 6FC9 8B49 D3E7 BEF6 E6BD 9BCA CCE5 7720 ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
