SSL Network Extender problem

dj_berkine · #1 (**permalink**) 2006-02-05

Hi all

I have a big problem with SSL network extender, basicaly i have a test envirement with checkpoint NG R55 HF12. the enforcement module and the smart center are in the same machine.

i did all the setup required to run SSL NE (visitor mode, office mode, user access...) and i connect successfuly to the gateway.
the problem appear after the authentication and the creation of the virtual interface . when i trie to ping a host behind the gateway i can see the packet encrypted sent to the gateway and then the gateway decript it and send it to the final host but there is no reply, my packet never come back. I'm almost sure it's a routing problem but everything looks normal
here is a windump done on the host that receive the ping you can notice that the gateway forward it but the host don't know how to go back to the remote peer (192.168.242.5)

22:35:56.692653 arp who-has 192.168.242.5 tell 192.168.242.20
22:36:20.794009 IP 192.168.242.5 > 192.168.242.20: icmp 40: echo request seq 18688
22:36:20.794130 arp who-has 192.168.242.5 tell 192.168.242.20
22:36:25.786631 IP 192.168.242.5 > 192.168.242.20: icmp 40: echo request seq 18944
22:36:25.786784 arp who-has 192.168.242.5 tell 192.168.242.20
22:36:31.527515 IP 192.168.242.5 > 192.168.242.20: icmp 40: echo request seq 19200
22:36:31.527621 arp who-has 192.168.242.5 tell 192.168.242.20
22:36:36.584388 IP 192.168.242.5 > 192.168.242.20: icmp 40: echo request seq 19456
22:36:36.584561 arp who-has 192.168.242.5 tell 192.168.242.20

Your help will be really appreciated

Thanks a lot

Berkine

Lackie · #2 (**permalink**) 2006-02-05

It appears that you are using the same network range for your Visitors Mode or Office Mode as you are using for your internal network.

If your visitor mode or office mode IP range is the same as your internal Network then this will happen. Change to use a different IP range for your visitor mode or office mode.

If you use the same network for visitor mode or office mode when the destination will receive the packet and then try and route it back to the source. As it's on the same network it won't have to 'route' the packet because it's on the same network, thus it will arp for it waiting for a MAC address to send it to. As this IP address doesn't physically exist on this network then there will not be a reply for it to get a MAC address to send the packet back to. If you use a different network, then the destination will have to route the packet, usually to it's default route.

dj_berkine · #3 (**permalink**) 2006-02-05

Thanks a lot Lackie, I will try this and let you knwo

regards

Berkine

dj_berkine · #4 (**permalink**) 2006-02-06

Hi Lackie

Thanks a lot , now it's working fine, i thought in the first time that the firewall will respond to the arp that's why i didi it this way

Regards

Berkine

chillyjim · #5 (**permalink**) 2006-02-07

FYI HFA 15 includes some SNX fixes, you might want to out the current HFA (17) before you put this in full production.

-jlh

dj_berkine · #6 (**permalink**) 2006-02-08

Thanks dude

will do

Regards

Berkine

jimytri · #7 (**permalink**) 2006-03-21

Hi Dj,

Could you let me how you enable the SSL Network Extender in CP?

Thanks and Regards,
Jim Qi

chillyjim · #8 (**permalink**) 2006-03-25

See SK# 26564

securityprof_1 · #9 (**permalink**) 2006-04-22

Hi,

I had this same issue and changing the Office Mode IP pool to another range other than the internal range of the enforcement module worked, but only for SecureClient?.

Now SSL-NX user connects and authenticates, is supplied an IP address, DNS etc, SSL-NX user can ping the real and cluster IP addresses of the Enforcement modules internal interface but when trying beyond this to other hosts the taffic fails to return. I have no problems with SecureClient connecting to services beyond the Enforcement Modules own internal IP subnet.

Am running NGX R60 straight (no HFAs) in a Splatform HA cluster.

I have searched the KB and re-read the manual a number of times. Thoughts?

Thanks

MrFlunch · #10 (**permalink**) 2006-05-09

Hello,

I have the same problem with SNX on NGX platform
Connection and authentification are OK, but:

after authentification, my PC get an address ( that I have defined in the file $FWDIR/conf/ipassignment.conf) ,but I'm unable then from my PC to ping or ftp machines on the LAN protected by the Checkpoint Platfom.
I have tried first by defining an internal LAN address, and then with an address outside the LAN (eg 192.168.242.5), but it doesn't work.

Thanks for your help

mathalas · #11 (**permalink**) 2006-05-16

Hi,

I am not sure about your topology, but did you checked on the return route avilable on the device.

MrFlunch · #12 (**permalink**) 2006-05-16

I have a simple configuration with the enforcement module and the management module on the same splatform. (2 ethernet interfaces (input, output).

Someone advertised me to create a private LAN (192.168.x.x) in the dashboard and to use it for office mode (instead of the ipassignment.conf file).
It seems also necessary to manually define the VPN domain in the Topology page of the Dashboard and to indicate the local LAN.

I will try it asap on the production machine !
Any suggestion ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode