SecureClient working with NGX

djbutler · #1 (**permalink**) 2005-12-22

Hi, I'm after help with a problem of SecureClient working to firewalls installed with NGX. Remote users were working ok to NG_AI but failed once the firewalls were upgraded to NGX. When reverted back to NG_AI access ok again.
Subsequent testing implied that the problem was with the IKE Phase1 key exchange (default using UDP 500). The SecureClient diagnostics showed the failure, with an error 108.
Also we found that the problem only occued if the firewall was a member of a cluster object. If used as a single firewall object it worked ok. It also worked as a cluster member if IKE over TCP was used. The NGX fix has been applied to both the management server and firewall.
Checkpoint is running on Nokia's using ipso 3.9

chillyjim · #2 (**permalink**) 2005-12-22

What version of SC are you using?

Are you using IPSO cluster or ClusterXL?

What "mode" (Unicast/pivot or Multicast/New-mode)?

Try it with pivot mode if you're not using that. Multicast mode still has problems with some switch/routers that are not fully RFC complient with the multicast specs.

-jlh

djbutler · #3 (**permalink**) 2005-12-23

Jim

Thanks for the reply. The SC being used is R56. We're not using either IPSO clustering or ClusterXL. The firewall's (Nokia IP530 hardware) are setup in a simple failover pair using monitored cct. This works fine in NG_AI.

david

chillyjim · #4 (**permalink**) 2005-12-23

Making sure I under stand....

R60 VPN-1 on IPSO 3.9 w/ VRRP HA

R56 SC/SR

Works with TCP encapcilation but fails with just UDP encap.
========

Did you try the R60 SC/SR? I can't find any refference to that error but I don't have access to the Nokia KB.

djbutler · #5 (**permalink**) 2006-01-04

Jim, Firewalls are IP530 running IPSO 3.9. They are set up as a HA pair using vrrp monitored cct. When using NG_AI vpn access using SecurClient works fine. Upgrading to NGX access fails, not even able to create site, using default of UDP IKE. If IKE over TCP is used site creates ok. No difference whether SC R56 or R60 used.
In a test enviroment with a single firewall at NGX vpn access ok. If that firewall is made a member of a cluster access fails.

chillyjim · #6 (**permalink**) 2006-01-04

Using IKE over TCP does everything keep working after the site is created?

I seem to remember something about IKE UDP and cluster problems, but I don't remember it being an R60 issue. I'll take another look through the KB.

-jlh

djbutler · #7 (**permalink**) 2006-01-06

Jim, using IKE over TCP the site is created and then you are able to login ok

Sergej · #8 (**permalink**) 2006-01-06

Quote:

Originally Posted by djbutler

Jim, using IKE over TCP the site is created and then you are able to login ok

Are the users stored locally or on LDAP server?

djbutler · #9 (**permalink**) 2006-01-10

Quote:

Originally Posted by Sergej

Are the users stored locally or on LDAP server?

Users are stored locally

chillyjim · #10 (**permalink**) 2006-01-10

Quote:

Originally Posted by djbutler

Jim, using IKE over TCP the site is created and then you are able to login ok

I can't find the KB number, but this is one of the things IKE over TCP is meant to take care of.

If it works with IKE/TCP, is using that an issue?

-jlh

djbutler · #11 (**permalink**) 2006-01-13

Quote:

Originally Posted by chillyjim

I can't find the KB number, but this is one of the things IKE over TCP is meant to take care of.

If it works with IKE/TCP, is using that an issue?

-jlh

Jim, At present remote users are working fine through NG_AI firewalls and to be honest I don't want them making changes to settings.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode