[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

RE: [fw1-wizards] SecureRemote problem after IP address change of Firewall

Subject: RE: [fw1-wizards] SecureRemote problem after IP address change of Firewall
From: <ARNOR@xxxxxx>
To: <rhemedinger@xxxxxxxxx>, <fw1-wizards@xxxxxxxxxxxx>
Date: Tue, 31 Dec 2002 15:17:43 -0000

Hi,

One problem I have seen is if you possibly have a secondary IP address on the external interface of the firewall. 
The negotiation starts of on the correct IP-addresses, the client gets the topology from the server and then tries to connect to the wrong address wich it gets from the topology info.

I have also seen this in NG, if you configure more than one external interface where f.ex. one of the interface has an unreachable IP-address (unlegal), then the negotiation can fail when the client tries to connect to the unreachable ip-address.

I would try the following:
- if you can, try to snoop packets on the client side, you will first get communication on port tcp 264 that will work, then it will try communication on port udp 500, if my suggestion is true, these packets will try to go to the wrong ip-address.
- you can also try the snoop on the server side, and if you see the tcp 264, and then maybee only one udp 500 packet (if any) - my suggestion might be true. Also look here what the firewall uses as a source address in the communicationin - it might be using the secondary IP ??

Regards,
Arnor Arnason
EJS
Iceland

-----Original Message-----
From: Bob Hemedinger [mailto:rhemedinger@xxxxxxxxx] 
Sent: 26. desember 2002 13:22
To: juan.concepcion@xxxxxxxxxxxx; fw1-wizards@xxxxxxxxxxxx
Subject: RE: [fw1-wizards] SecureRemote problem after IP address change of Firewall

Yes, we tried that also.

Someone has suggested that perhaps the new ISP is
blocking ports that my securemote users need to
access the foreign office, but nothing beyond that.
Does anyone have any thoughts about this possibility?

--- Juan Concepcion <juan.concepcion@xxxxxxxxxxxx>
wrote:
> Don't know if this has been answered but by your
> description did you
> have the users recreate the site?
> 
> -----Original Message-----
> From: Assalone, John
> [mailto:John.Assalone@xxxxxxxxx] 
> Sent: Friday, December 20, 2002 8:31 PM
> To: Bob Hemedinger; fw1-wizards@xxxxxxxxxxxx
> Subject: RE: [fw1-wizards] SecureRemote problem
> after IP address change
> of Firewall
> 
> 
> Have the users downloaded updated site information
> since the reconfig?
> 
> -john
> 
> -----Original Message-----
> From: Bob Hemedinger [mailto:rhemedinger@xxxxxxxxx] 
> Sent: Friday, December 20, 2002 4:24 PM
> To: fw1-wizards@xxxxxxxxxxxx
> Subject: [fw1-wizards] SecureRemote problem after IP
> address change of
> Firewall
> 
> 
> I am having an problem authenticating to one of my
> networks after changing an IP address. My setup is
> as
> follows:
> 
> Firewall (Master, Chicago) Linux 7.0
> Checkpoint 4.1 SP5
> 
> Firewall (managed by Chicago, foreign location)
> Linux
> 7.0
> Checkpoint 4.1 sp5
> 
> Clients: Win2K, Secure Client SP5
> 
> We changed ISPs in our foreign office, so naturally
> our IP changed. We were able to successfully
> reconfigure office to office VPN connectivity by
> following the basic steps (on the foreign office FW)
> of:
> 
> shutting down FW
> change IP address
> bind new license to new IP address
> fw putkeys on Chicago and foreign FW
> change foerign FW object for new IP address
> arp new hiding address of foreign FW
> restart foreign firewall
> 
> Office to office communications came online without
> a
> problem, but my dial-up users have a problem. When
> they connect via securemote, they can access the
> Chicago network. However, when they attempt to
> access
> the foreign office network, securemote says that it
> is exchanging keys
> with the firewall, but several seconds later the
> message "no answer
> received from a firewall at site (Chicago external
> IP Address)" appears.
> 
> Any help would be appreciated!
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
> 
>
---------------------------------------------------------------------
> FireWall-1 Wizards Mailing List
> (http://www.phoneboy.com/wizards) To
> unsubscribe, e-mail:
> fw1-wizards-unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail:
> fw1-wizards-help@xxxxxxxxxxxx
> 
> 
>
---------------------------------------------------------------------
> FireWall-1 Wizards Mailing List
> (http://www.phoneboy.com/wizards) To
> unsubscribe, e-mail:
> fw1-wizards-unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail:
> fw1-wizards-help@xxxxxxxxxxxx
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

---------------------------------------------------------------------
FireWall-1 Wizards Mailing List (http://www.phoneboy.com/wizards)
To unsubscribe, e-mail: fw1-wizards-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: fw1-wizards-help@xxxxxxxxxxxx


---------------------------------------------------------------------
FireWall-1 Wizards Mailing List (http://www.phoneboy.com/wizards)
To unsubscribe, e-mail: fw1-wizards-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: fw1-wizards-help@xxxxxxxxxxxx

Prev by Date: [fw1-wizards] Policy installation problem after upgrade from 4.1 to FP3
Previous by thread: RE: [fw1-wizards] SecureRemote problem after IP address change of Firewall
Next by thread: [fw1-wizards] Scan Prevention
Index(es):
- Date
- Thread