WTF ?! - EDGE VPN-1 X

[danzaka]

has anyone encouter souch a thing when the edge cannot install policy becuase its to BIG ??? ( i have 740 rules and 200 nat`s )
the vpn tunnles wont work due "no proposle chosen"" , as you can see i tried the clock adjustment with no good .

i am on R55 HFA20 ,the VPN-1 is version 7.0.48 ( it had the same problem at version 6 so i tried to update the firmware... no luck there ... )
Lib files are updated ...

here is the log from the edge :

00010 19Sep2007 16:47:48 Failed to install updated security policy
00009 19Sep2007 16:47:48 Error: File size too big or wrong format (size = 429585, maxSize =409599)
00008 19Sep2007 16:47:34 Failed to establish VPN Tunnel with 1.1.11.1: no proposal chosen
00007 19Sep2007 16:47:31 The clock was adjusted from 19Sep2007 16:58:39 to 19Sep2007 16:47:31


Here is the log from the tracker :

Number: 124377
Date: 19Sep2007
Time: 1:32:12
Product: VPN-1 & FireWall-1
Interface: eth0
Origin: FW-Dallas (1.1.1.2)
Type: Log
Action: Accept
Protocol: udp
Service: ISAKMP (500)
Source: 1-1-1-5.static.twtelecom.net (1.1.1.5)
Destination: FW-Dallas (1.1.1.2)
Rule: 0 - Implied Rules
Source Port: ISAKMP (500)
Information: message_info: Implied rule

Number: 124401
Date: 19Sep2007
Time: 1:32:13
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: FW-Dallas (1.1.1.2)
Type: Log
Action: Reject
Reject Reason: IKE failure
Source: 1-1-1-5.static.twtelecom.net (1.1.1.5)
Destination: FW-Dallas (1.11.1.2)
Encryption Scheme: IKE
VPN Peer Gateway: 1-1-1-5.static.twtelecom.net (1.1.1.5)
Information: IKE: Main Mode Missing IKE configuration for peer (authentication or encryption or hash)

[mcnallym]

I'd have to say that if pushing a policy that size to an edge yes it is way too big.

Make sure the policy is only set to install to the Edge the rules that only relevant to the Edge Device.

[danzaka]

None of the rules have the edge in the "install on" ...
and i dont have any rules for all gateways or etc...

ohh , except the cleanup rules that are for all gateways

[dantro]

Quote:

Originally Posted by danzaka

edge cannot install policy, i have 740 rules and 200 nat`s
None of the rules have the edge in the "install on" ...

?? Do you have 740 rules for the edge or not ??
Is the Edge object a policy installation target in the same policy as for your gateways or did you follow Check Point's recommendation to create a new policy just for the Edge object alone? Please, don't let you ask for these things, tell us what you have set up and we'll tell you what's wrong with it.

[danzaka]

sorry for the confusion .

The edge is in the same policy as all the other gateways .
I have a SINGLE huge policy .

So your recommandation is to create a new policiy for the edge devices ?

So there will be one policy for all the SPLAT`s and a second one for all the EDGE devices ?

[Bob_Zimmerman]

That's the normal recommendation, yes. Edges have extremely limited memory and storage, so it's a good idea to make a new policy so as to keep everything as efficient as possible.

NAT rules in particular are hard on Edges. Try to do as little translation as possible.