|
Hi
all,
Could someone maybe help me to resolve this problem??
I Have
a Dell Machine with two 1.2 giga processor, and 4 token ring NIC´s. The secure
Plataform FP3 work fine until I start the VPN tunnel, when this happen the
enforcement module reboots, I test too with another machine, and the error is
exactly the same. There are some incompatible with token ring
cards??
Thanking you in anticipation,
Eduardo Gui
Consultor de Segurança
da Informacão
Fone: 55
61 426 3500
Cel: 55 61
9975 6575
Fax: 55 61
426 3555
True
Access Consulting
Especialista em Segurança da Informação
www.trueaccess.com.br
-----------------------------------------------------------------------------------
Esta mensagem pode conter informação
confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa
autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as
informações nela contidas ou tomar qualquer ação baseada nessas informações. Se
você recebeu esta mensagem por engano, por favor avise imediatamente o
remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua
cooperação.
This message may contain confidential
and/or privileged information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy, disclose or take any
action based on this message or any information herein. If you have received
this message in error, please advise the sender immediately by reply e-mail and
delete this message. Thank you for your cooperation.
-----------------------------------------------------------------------------------
Ay,
Have you checked that both the firewalls times
are very close - within 10s of each other?
Derin
-----Original Message-----
From: Alan Yeow
[mailto:[EMAIL PROTECTED]]
Sent: Tue 17/12/2002 06:56
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
Mell,
We did check the sync for both fws and both
seems to be up.
#cphaprob state
Run tcpdumps on both sides of fws
and both seems to have I/O
on the sync interfaces.
Nokia
Resolution - 3636
Said that it's a known issue and given some solution to
it but to
no avail. Cold start & link delay recogz didnt help
either.
FTP is still having problem failing back from Sec to
Primary.
Anyhow, we will check out the fw ctl pstat and look at the
connx
tables.
Thanks
Ay
----- Original Message
-----
From: "Mellor, Derin" <[EMAIL PROTECTED]>
To:
<[EMAIL PROTECTED]>
Sent: Thursday,
December 12, 2002 4:40 PM
Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
> Have you checked whether the CP Sync is
operational?
>
> fw ctl pstat
>
> Reports the
current state of the sync process. This should report see
> both
incoming and outgoing packets at both firewalls.
>
> Better
still looking in the connection table for the ftp command and
> data
sessions at both firewalls.
>
> Derin
>
>
>
-----Original Message-----
> From: Alan Yeow [mailto:[EMAIL PROTECTED]]
>
Sent: 12 December 2002 02:13
> To:
[EMAIL PROTECTED]
> Subject: Re: [FW-1]
VRRP - NGFP 2 and IPSO3.5fcs10
>
>
> Mell,
>
>
This is not a cold reboot. We did a test by running FTP thru the
primary
> and pulled out the cable so that it fails over to secondary
(which it
> did in 4 secs) but when we plugged the cable back in the
primary again,
> it took approx 20 secs to failback from secondary to
primary and FTP
> stops.
>
> Failover from Master to
Secondary - 4 secs
> Failover from Secondary back to Primary - 20 secs
or more
>
> Well we did try the cold start delay (30, 60, 120
secs) but didnt work
> though. Anyhow, we will try again. There's a
resolution from Nokia on
> this and we tried it but couldnt get it to
solve the problem.
>
> Any other config that we shud
try?
>
> Thank you.
> Ay
>
> ----- Original
Message -----
> From: "Mellor, Derin"
<[EMAIL PROTECTED]>
> To:
<[EMAIL PROTECTED]>
> Sent: Tuesday,
December 10, 2002 3:23 PM
> Subject: Re: [FW-1] VRRP - NGFP 2 and
IPSO3.5fcs10
>
>
> > Is this a cold reboot?
>
>
> > VRRP is fairly slow recovering, ~20s.
> >
>
> If the Master recovers VRRP will immediately switch all session
to
> > flow through the Master. This can cause problems as CP might
not have
> > finished installing (i.e. it has the default filter
loaded,
> > synchronization of connection table is not
complete).
> >
> > The effect is that existing connections
move back to the Master. Until
>
> > the correct security
policy and synchonization is loaded the packets
> > will be at best
dropped. Normally, once CP is full initialized and
> > synchronized
the sessions continue - this will cause a glitch and
> > possibly
dump connections.
> >
> > From my testing it could take
~45s for CP to initialize and
> > synchronize connection tables. To
solve this problem you need to hold
> > VRRP. In the VRRP
configuration page configure VRRP Cold Start Delay
> > to 60s (this
will ensure that CP initializes and synchronizes). This
> >
effectively delays VRRP from starting for the specified time period.
>
>
> > Assuming this is your issue, the recover should be
sleamless.
> >
> > Hope this of use.
> >
>
> Derin
> >
> >
> >
> > -----Original
Message-----
> > From: Alan Yeow [mailto:[EMAIL PROTECTED]]
>
> Sent: 09 December 2002 07:34
> > To:
[EMAIL PROTECTED]
> > Subject: [FW-1]
VRRP - NGFP 2 and IPSO3.5fcs10
> >
> >
> > Hello
all,
> >
> > Anyone experienced problems when secondary
fails back to primary fw?
> >
> > Problem is, it takes
15-30 seconds to failback from secondary to
> > primary. Secondly,
after failing back from secondary to primary,
> > existing FTP
connections never continues.
> >
> >
> > Here's a
brief scenario on what's going on
> >
=================================================
> > 1. VRRP alone
on Nokia is working fine.
> > 2. Primary fails over to secondary is
working fine.
> > - Primary is able to fail
to secondary within 2-4 timeouts
> > - Ping
continues with only 2-4 timeouts
> > - FTP
stops for fraction of time and its able to continue
> >
>
> BUT
> >
> > 3. When failing back from secondary to
primary it takes approx
> > 15 - 30 request
timeouts.
> > - Ping session stops with
15-30 timeouts before replies comes in
> >
- FTP stops and never resumes connection even after the ping
> >
replies.
> > (that means
users will need to reconnect and download again)
> >
>
>
> > Any ideas or solutions to this?
> >
> >
Thanks
> > Alan
> >
> >
=================================================
> > To set
vacation, Out Of Office, or away messages,
> > send an email to
[EMAIL PROTECTED]
> > in the BODY of the email
add:
> > set fw-1-mailinglist nomail
> >
=================================================
> > To
unsubscribe from this mailing list,
> > please see the instructions
at
> > http://www.checkpoint.com/services/mailing.html
>
> =================================================
> > If you
have any questions on how to change your
> > subscription options,
email
> > [EMAIL PROTECTED]
> >
=================================================
> >
>
>
> > <FONT
>
SIZE=1>*****************************************************************
>
****
> *
> > This email and any files transmitted with it are
confidential and
> > intended solely for the use of the individual
or entity to whom they
> > are addressed. If you have received this
email in error please notify
> > the sender immediately and then
delete from your system.
> >
> > This footnote also
confirms that this email message has been swept for
>
> > the
presence of known computer viruses.
> >
> >
>
**********************************************************************</
>
FONT
> >
> >
> >
=================================================
> > To set
vacation, Out Of Office, or away messages,
> > send an email to
[EMAIL PROTECTED]
> > in the BODY of the email
add:
> > set fw-1-mailinglist nomail
> >
=================================================
> > To
unsubscribe from this mailing list,
> > please see the instructions
at
> > http://www.checkpoint.com/services/mailing.html
>
> =================================================
> > If you
have any questions on how to change your
> > subscription options,
email
> > [EMAIL PROTECTED]
> >
=================================================
>
>
=================================================
> To set vacation,
Out Of Office, or away messages,
> send an email to
[EMAIL PROTECTED]
> in the BODY of the email
add:
> set fw-1-mailinglist nomail
>
=================================================
> To unsubscribe
from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
=================================================
> If you have any
questions on how to change your
> subscription options, email
>
[EMAIL PROTECTED]
>
=================================================
>
>
=================================================
> To set vacation,
Out Of Office, or away messages,
> send an email to
[EMAIL PROTECTED]
> in the BODY of the email
add:
> set fw-1-mailinglist nomail
>
=================================================
> To unsubscribe
from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
=================================================
> If you have any
questions on how to change your
> subscription options, email
>
[EMAIL PROTECTED]
>
=================================================
=================================================
To
set vacation, Out Of Office, or away messages,
send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set
fw-1-mailinglist
nomail
=================================================
To
unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If
you have any questions on how to change your
subscription options,
email
[EMAIL PROTECTED]
=================================================
|
