New NGX R61 on Solaris 10 thread

[apappas]

Didn't want to tack on to the other(s) threads.
I've been working on a Solaris 10 and NGX R61 platform for a few weeks now. I've read the threads on here and worked through those issues.

I have 2 V440 gateways configured with Solaris 10 6/06 Reduced Core, 10_Recommended, and 118833-24 installed.

Some hardening was done removing packages such as ipfilter, nis, and other extraneous software.

Check Point NGX R61 was installed and the changes to fw1boot were made to comment out the 2 autopush lines.

System boots fine, everything appears to be working as it should, but I cannot seem to get the sic into "Trust Established" state. The sic is initialized but cannot connect to the gateways.

Netstat shows the gateways are listening on 18191 but I can't telnet to that port. (Not sure If I should be able to reach it but can't think of any reason why not.)

I have IP connectivity, when I shut down cpd on the gateways all machines can ping each other.

I called CP support and was told that Solaris 10 revision 2 is not supported. I brought up sk32031 where it specifically states that this configuration is supported but was told that the sk should be removed, that Sun rewrote the IP stack and Checkpoint cannot interface with it anymore. Now they only support revision 1 1/06.

Obviously some here have this working. Any idea what might be causing me not to be able to get the sic working?

Thanks.
Angelo

[Robby Cauwerts]

Quote:

Originally Posted by apappas

Netstat shows the gateways are listening on 18191 but I can't telnet to that port. (Not sure If I should be able to reach it but can't think of any reason why not.)

What are you seeing when you lauch a "snoop -rd specific_interface "port 18191"" in combination with you telnet to the same tcp port?

[apappas]

A snoop shows me this:

Initialize


manager -> gateway TCP D=18211 S=1321 Syn Seq=1324009687 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>
manager -> gateway TCP D=18211 S=1321 Syn Seq=1324009687 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>
manager -> gateway TCP D=18211 S=1321 Syn Seq=1324009687 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>


netstat -a | grep 18211
*.18211 *.* 0 0 49152 0 LISTEN



Test SIC Status


manager -> gateway TCP D=18191 S=1322 Syn Seq=2701545045 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>
manager -> gateway TCP D=18191 S=1322 Syn Seq=2701545045 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>
manager -> gateway TCP D=18191 S=1322 Syn Seq=2701545045 Len=0 Win=65535 Options=<mss 1460,nop,nop,sackOK>



netstat -a | grep 18191
*.18191 *.* 0 0 49152 0 LISTEN

[Robby Cauwerts]

Have you verified sk30579 step-by-step?

[apappas]

Had not seen that. Thanks for pointing that out. Unloading the default policy enabled me to sync. Thanks!