Gateway not responding secure remote

s_ivanohe · #1 (**permalink**) 2007-12-19

Hi ,

I have FW on Nokia IP270 with R55 and we try to enable VPN.
using a dial-up connection we had the connection but when we try from DSL cable we have some problem. We obtain always : Gateway not responding and in the checkpoint tracker ( applying the show null matches ) we have thi response :

FWD Error: Log(s) discarded due to unification process failure
FWD Error: Log(s) discarded due to unification process failure
sys_message: too many internal hosts detected

thanks in advice

lammbo · #2 (**permalink**) 2007-12-19

Quote:

Originally Posted by s_ivanohe

sys_message: too many internal hosts detected

Let's deal with this first. This sounds like a licensing issue. Run this command on your enforcement point:
fw tab -t host_table -s

That command should give you a current value and a peak value of hosts seen by the firewall. Match this with the host count on your license. If over, this can start causing *STRANGE* unexplainable issues (trust me, you don't want to know some of the strange things that we've all seen happen when you are out of license compliance). You can always reboot if it hasn't been booted for a while and it will start the count over.

If you think this may be a licensing issue, talk to your SE and get an eval license and test again. If it all works, you most likely have a licensing issue.

We can help you address the rest after you verify these items.

s_ivanohe · #3 (**permalink**) 2007-12-20

Thanks for the answer. It seems so strange !! the same vpn connection is functioning from a dial-up connection and not from dsl cable. however i have run the command and the results are :
mail[admin]# fw tab -t host_table -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost host_table 8185 143 143 0

I can delete the licence hang on ?
could be that is some miscofiguration of the nokia appliance that don't permit the connection ? it seems that the DSL cable have dynamic IP over a nat and the system can't establish a connection.

thanks again

lammbo · #4 (**permalink**) 2007-12-21

Are you licensed for more than 143 hosts on this gateway?

chillyjim · #5 (**permalink**) 2007-12-25

IPSec often will not work with DSL as so many of them are PPoE and the MTU is too small. If you use SecureClient and Visitor Mode it should work.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode