Splat R60 HFA03 upgrade to HFA04 or 05 breaks vpn, need help asap?

[Spacetrucker]

VPN works fine before the upgrade. Once I upgrade and try to connect using Secure Remote I get this message. "Gateway not responding". This is a single Splat server with the enforcement and management modules on the server.

Suggestions on how to resolve this problem? Anyone else having problems with HFA04 or 05 breaking things in this type of setup?

[hono222]

what kind of router is on the client side?

[Spacetrucker]

On the connection I'm using to test this out it's probably a Linksys. I can find out on Monday. But, the problem is not isolated to a single location. I have end users in many other locations, some in the States others outside the States and they all have the same problem. Everybody gets this message. I've searched in the CPUG forums and I've found a lot of posts with this message. So I'm not the only one with the problem. After reading the other posts, I consider myself lucky that it works at all. Doesn't seem to matter what version your running. What's the router have to do with it?

[RayPesek]

Does the firewall object in SmartCenter have the internal IP or the external? It should be the external IP.

Ray

[Spacetrucker]

I'm pretty sure it's external. I just had to upgrade the license and it was tied to the external address. For clarifications sake I see some folks refer to the gateway object and I see others refer to the firewall object. But isn't this object, one and the same when you have just one instance of FW1 running on a single server? And, this firewall object has two interfaces eth0 which has the external address public assigned to it, and eth1 which has the internal private address assigned to it. So I'm a bit confused by your question asking which ip address is assigned to it. I don't have any experience with Check Point FW1 beyond it running on a single server.

Sunday: Ok, I understand it's the gateway object. Bit of egg on my face, I actually had to login to see the proper name of the object. But, it does have the external address assigned to it.

[RayPesek]

Egg on your face? Congratulations, you have just joined the club! :-)

Are you using Implied Rules? If so, are you logging them (the default is to not log them, for whatever reason). This is found in the Global Policy settings.

Use SmartView Tracker and see what is coming in from the IP address of the client. That should give you a good clue as to what is wrong.

What do you have set for topology updates? I think the default is something way high. I have mine set to one hour.

To answer your first question, no, I don't know of the HFA's breaking anything related to SecuRemote. What version of SecuRemote are you using?

On your test computer, look at userc.C with Notepad. This is the configuration file. You might be able to see that something is wrong in it, like it's trying to connect to the wrong interface.

Try deleting the site from SecuRemote and see if recreating it fixes the issue.

Ray

[Spacetrucker]

We are logging implied rules.
Topology updates is still the default setting of 168 hours.
userc.C appears to be correct.
Deleting and recreating the site didn't change the outcome.
Keep in mind, it's only after HFA04 is applied that the gateway does not respond.
Thanks for your help.

[kva.kva]

Do SmartView Tracker show any error on VPN Query, for example?
Also 1'st - you would monitor packets by sniffer (ethereal, wireshark...) on client side. Make sure that packets from client send to external ip of firewall module.

[ziriy]

We have some problems with VPN after upgrade from HFA03 to HFA04 and R62.
VPN dont work, problems like VPN error code 02, 01, 03, no response from peer and many many others.
So finally VPN - work, but in all cases it was different solution. (Sometimes help 1, sometimes 2,3 and sometimes 4)
1. Try just reset VPN community in SmartView Monitor.
2. Try reset VPN certificates on all objects in the community.
3. Try reset sic.
4. Try create new VPN community and after policy install reset VPN community in SmartView Tracker.