That's identical to my issues with these adapters. 3 out of 4 cards fail
and exhibit erratic behavior. The cards work after the installer inserts
the module (in Solaris). Once they're bounced (fw accel on|off) however,
they no longer work. The technical savvy at ISS claims a high failure
rate of these adapters to be a commonplace.
They report all sorts of odd drops in the log viewer as well:
-snip-
8:39:22 drop <MY-FW> >daemon proto 206 src 147.248.242.113 dst
69.0.0.60 rule 0 decryption failure: VPN-1 Accelerator Card reports error
scheme: IKE
-snip-
The interesting thing is that neither address is associated with the
firewall and no traffic to either should be passing through. I am unable
to capture this traffic on the wire, though.
Peter Lukas
On Mon, 27 Nov 2000, Chilton Tim wrote:
> Hmm,
>
> I'm also having problems with these cards on NT4, SP6a.
> I have 10 cards in total and of the 3 I'm using so far, two have failed
> (both ends of a VPN - which took a while to diagnose ... :-< )
>
> I too see the same _reset errors in the event logs plus a slew of other
> errors including
>
> Resource reporting problem E0000211
> _reset: elapsed =546 msec
> _do_smachine : Device error
> _tx: Token window lost sync
>
> then after a while
> _do_smachine : too many errors, disabling device
>
> The thing to do is to turn the accellerator card off with "fw accel off"
> then run a "lunadiag" - mine all fail on test 3 (ie the first card related
> test) with an access violation error on NT
>
> Replacing the cards or turning off the driver restores comms between the
> firewalls - so it's fairly easy to diagnose - once you've been burned once.
>
> I'm currently getting replacement cards from Chrysalis via Checkpoint -
> since they supplied them - I'm taking bets on the timeframe side of things
> if anyones interested ;-]
>
> Hope this helps
>
> Cheers
>
> Tim
>
> -----Original Message-----
> From: Peter Lukas [mailto:[EMAIL PROTECTED]]
> Sent: 13 November 2000 16:33
> To: [EMAIL PROTECTED]
> Subject: [W1] Chrysalis-ITS and CheckPoint 2000 SP2
>
>
>
> Greetings,
>
> Does the Luna VPN adapter (VPN-1 Accelerator) function reliably on a
> Solaris 2.7 CPfw1-41 SP2? I've been able to get them "almost" functional
> under SP1 and SP2, but have observed some strange behavior. For example,
> the card will attempt to initalize and dump errors, but the firewall
> logger reports a dropped packet to/from an IANA reserved address to a
> random Internet address.
>
> I initially suspected the adapter to have been malfunctioning, but an able
> to duplicate the problem on other systems/adapters. Has anyone else
> observed this? Is anyone else running 2000 SP2 with the VPN-1
> Accelerator on Solaris? VPN works fine with the adapter disabled, by the
> way...
>
> For those interested, a more technical review of the problem, as well as
> some troubleshooting and logging information appears below.
>
> Regards,
>
> Peter Lukas
>
> - Technical Review -
> Hardware:
> * Sun Netra t1125 (UltraSPARC-IIi 440, 256MB, 2x18.1GB LVD, Sun QFE)
> * Luuna VPN-1 Card (Firmware revision 1.43.1.5.1.24. Luna(TM)VPN 1.29.2)
>
> Software:
> * Solaris 2.7 (5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-60)
> * CheckPoint 2000 Service Pack 2 (Version 4.1 Build 41716)
> * VPN-1 Accelerator Card Add-On ((sun4u) 3.10)
> * StoneBeat High Availability (3.1.5)
>
> Problem:
> The adapter fails to initialize and reports errors to the system
> logger. The lunadiag utility fails to properly diagnose the adapter
> resulting in a core dump.
>
> Troubleshooting:
> I have an identical system with identical software and the VPN-1
> encryption adapter works with no problems. I have swapped the suspect
> VPN-1 adapter with another (working) adapter and the `lunadiag` reported
> the adapter to function correctly (passed all tests). After the system
> the adapter to function correctly (passed all tests). After the system
> was rebooted, however, the VPN adapter no longer worked and exhibited the
> same behavior as the initial malfunctioning card. The adapters exhibited
> the same behavior before Service Pack 2 was applied to the system as
> well.
>
> What's even more strange is that when the encryption fails, the adapter
> initiates a connection to two addresses that are in no way associated with
> this firewall, let alone this organization. In the log provided, you can
> see the firewall daemon dropping the authentication header with a source
> of 231.107.233.149 (University of Southern California) and a destination
> of 69.0.0.40 (IANA -Reserved). Neither address should appear on this
> device. The addresses will change from time to time, too. In any case,
> this does not appear normal. I've snooped the interfaces during this
> failure and observed that the traffic does not appear on the interfaces,
> however.
>
> fw log:
> 8:29:08 drop <my-fw> >daemon proto ah src 231.107.233.149 dst
> 69.0.0.40 rule 0 decryption failure: VPN-1 Accelerator Card reports error
> scheme: IKE
> # Neither address above is associated with this firewall/network.
>
> /var/adm/messages:
> Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: token window lost sync
> Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: dualport: hwwl/hwrl =
> 4000000/0000, twwl/twrl = 0000/0000
> Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _tx: driver: hwwl/hwrl =
> 4000000/0000, twwl/twrl = 0000/0000
> Nov 10 12:14:44 <my-fw> unix: WARNING: luna0: _do_smachine: device error
> Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages Begin -----
> Nov 10 12:14:44 <my-fw> unix: Firmware revision 1.43.1.5.1.24. Luna(TM)VPN
> 1.29.2
> Nov 10 12:14:44 <my-fw>
> File:D:\Projects\firmware\LunaPCI-IF2\source\luna2\main_mod\main.c
> Nov 10 12:14:44 <my-fw> Date:Sep 28 1999
> Nov 10 12:14:44 <my-fw> Time14:24:33
> Nov 10 12:14:44 <my-fw> Performing initialization...
> Nov 10 12:14:44 <my-fw> Zeroized token
> Nov 10 12:14:44 <my-fw> Set TPV to 4003004A
> Nov 10 12:14:44 <my-fw> Save label LunaVPN BETA Token
> Nov 10 12:14:44 <my-fw> Performed special init token: 0.
> Nov 10 12:14:44 <my-fw> Initialization Complete.
> Nov 10 12:14:44 <my-fw> input queue offset=0x4000000 too big
> Nov 10 12:14:44 <my-fw> CL_FatalError(0x300203)
> Nov 10 12:14:44 <my-fw> unix: luna0: ------ Firmware Messages End -----
> Nov 10 12:14:44 <my-fw> unix: luna0: _reset: elapsed = 640 msec
>
> # fw accel stat -l:
> FW-1: VPN-1 Accelerator Card started
> Number of initialization errors: 0
> Number of processing errors: 10
> Number of ESP valid contexts: 1
> Number of AH valid contexts: 0
> Number of packets queued to the card: 0
> High water mark of number of packets in queue: 1
>
>
>
>
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> ************************************************************************
> The information in this email is confidential and is intended solely
> for the addressee(s).
> Access to this email by anyone else is unauthorised. If you are not
> an intended recipient, you must not read, use or disseminate the
> information contained in the email.
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of
> The Capital Markets Company.
>
> http://www.capco.com
> ***********************************************************************
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
