 | ||
 Now and then our clients can't access our websites | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-02-21 | |||
| |||
 Now and then our clients can't access our websites Hello, We have CP R55 on our company, and we host numerous websites to our clients. Now and then we receive a call from our clients because suddenly they can't access our websites. From the inside we don't have any problems using internet (http, messenger, anything). For some reason the firewall stops accepting traffic from outside to our websites. We already checked the logs and there aren't any dropped packets. We only solve this by rebooting the Firewall which isn't a solution that we like too much because the clients need to access those sites. Has anyone had this problem? Since i'm not too acquainted with Checkpoint is there any troubleshooting you recommend the next time this happens (and it will)? Thanks in advance, Nuno Santos  |
| 2008-02-21 | |||
| |||
| Re: Now and then our clients can't access our websites What operating system is the firewall running on? Are the web sites on different IP addresses than the firewall external interface? If so, it sounds like you're losing ARP. Will a policy push make it work again? Ray |
| 2008-02-22 | |||
| |||
| Re: Now and then our clients can't access our websites The Checkpoint is Checkpoint SecurePlatform NG with Application Intelligence (R55) Build 110 The websites are on different machines on our DMZ with different IP Addresses from the CP interface (NAT used). I think we've tried the policy push without success. The only thing that works is to reboot the firewall (i didn't know about the cpstop;cpstart -> i will try the next time the problem happens since it probably is faster than rebooting). (Basically we have our internet connection connected to one nic of the checkpoint and have two more nic's on the CP, one for the intranet and other for the DMZ which then are connected to switches) ISP ------> NIC1 NIC2------>Switch (intranet)----> machines NIC3------>Switch (DMZ)-------> machines for web acces |
| 2008-02-22 | |||
| |||
| Re: Now and then our clients can't access our websites When the failure occurs, does SmartView Tracker show the connection attempts at all or are there zero log entries? If not, it's quite probably an ARP issue. It could be that the router on the outside of the firewall is the problem and that rebooting the firewall causes the router to reset something. I don't know what build 10 is. What HFA does the command cpshared_ver <Enter> Are these set up with manual NAT rules or automatic NAT rules? show? |
| 2008-02-25 | |||
| |||
| Re: Now and then our clients can't access our websites Hello and thanks for the replies. The HFA is HFA_04 Hotfix 093. The NAT entries are manual. (The router we have is a Cisco. The next time the problem occur i will check it to see if is there any problem) |
| 2008-02-25 | |||
| |||
| Re: Now and then our clients can't access our websites HFA04 is ancient. You really need to get to the current HFA, 20. Do you have proxy ARPs set up in local.arp for each of those IP addresses? Ray |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
