[fazrul]

Hi,
I tested as you mentioned. The TCP port 257 is running in the SmartCenter server (also a VPN-1 Express). However, there were no traffic from the enforcement module to the smartcenter at port 257. So I tried cpstop and cpstart. Here is the result that I got which was interesting:

On the enforcement module:

Fetching Security Policy from: 192.168.0.111
Reason: TCP connectivity failure (port=18191)(IP=192.168.0.111)[Error 10]
Policy Fetch Failed
Failed to fetch policy from masters in masters file at this point

Question: Why is the enforcement module fetching its security policy from 192.168.0.111?

Here is a better discription of our devices:

Unit 1 (VPN-1 Express and Smart Center)
eth0: 172.16.12.250
eth3: 192.168.0.111 (connected to router for Internet access)

Unit 2 (VPN-1 Express)
eth0: 172.16.11.250
eth1: 192.168.10.20

eth0 of both devices are connected via a router.

172.16.11.250---172.16.11.254/172.16.12.254---172.16.12.250

So all communication between these 2 devices take place between these 2 interfaces (172.16.11.250 and 172.16.12.250). All rules are pushed from smartcenter to enforcement module using this connection.

So going back to the error message that I got when I stopped and started the services, the question is: Why is the enforcement module looking for 192.168.0.111 when it should be looking for 172.16.12.250?

At this moment, to temporarily overcome this logging issue, I have added a static route in enforcement module so that it can communicate with the WAN interface of SmartCenter server (192.168.0.111) and it is now able to push all of its log in the master unit. But is there anyway for me to force the enforcement module to fetch its security policy from 172.16.12.250 (I want it to push all the log to 172.16.12.250)?

Anyway, thanks a lot as your advise did help me solve this issue somewhat.