[FW1] FW: CheckPoint question ISAKMP problems

Wed, 18 Jul 2001 21:44:08 -0700 


Hi listers,

    Anyone knows how we can solve the following problems ??

        We have very serious problems with ISAKMP negotiation. Exactly this:

                                Solution: Error message in the fwd log: "
ISAKMP AddNegotiation: try to handle too many negotiations".
(10022.0.1516123.2462934) No solution is currently available. Issue is under
investigation.
                                
                                Workaround 1:
                                In FireWall-1 4.0.
                                Do not select PFS (Perfect Forward Secrecy)
in the Properties of the action Encrypt. This will reduce the amount of time
FireWall-1 calculates the ISAKMP and IPSEC SAs.
                                
                                Workaround 2:
                                Upgrade to FireWall-1 4.1. Configure your
FireWall to do a Phase II negotiation per subnet, not per host; this will
reduce the number of Phase II negotiations.
                                
                                Problem Description Error message in the fwd
log: " ISAKMP AddNegotiation: try to handle too many negotiations". Limited
number of concurrent ISAKMP negotiations.
                                
                                Workaround 2 - how we do this? Answer from
knowledgebase: (is it the right answer?)

                Solution: Does FireWall-1 support subnet-based SA?
(55.0.10312405.2795840) FireWall-1 Version 4.1 and later supports subnet
based SA.
                To enable it, check the "Support key exchanges for subnets"
option in the Advanced IKE Properties window.
                Note: To establish a VPN with another vendor's device, the
necessary settings must be configured on that device as well.
        We did this settings month ago!

        Today I got a customer call, nobody were able to communicate through
the firewall using VPN channels.
        The firewall showed the same error message "ISAKMP AddNegotiation:
try to handle too many negotiations" 

        They rebooted the firewall, no change. (see attached event log
file.)
        After about 20 minutes of reboot, 80% percent of the clients were
able to communicate through the FW. 20% percent were not.

        I went to the customer premise and find the "ISAKMP error" and the
following new error message in the Application log (OS: Windows NT4)

        Negotiations::DeleteExpired: 

        Thank you for any idea

Met vriendelijke groeten - Bien a vous - Kind regards

Guy ROELANDTS
EMEA GS Internet Expertise Centre
Compaq Software Engineer - Belgium
E-mail : [EMAIL PROTECTED]
Tel: +32(02)729.77.44 (options  3 - 3 - 1)
Fax: +32(02)729.77.65



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to