CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Topology Issues
SecuRemote Topology SecuRemote Topology
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-08-03
Junior Member
  
Join Date: 2007-01-17
Posts: 5
Rep Power: 0
bklyn1rr has an average reputation (10+)
Default SecuRemote Topology
Description: I have two firewall clusters accepting Securemote request from users. Firewall cluster A is located in NY and firewall cluster B is located in California. Users are configured to connect to only cluster A and cluster B is only used for redundancy. This was working fine until recently.

Issue: Users are authenticating to firewall cluster A but they are now receiving a second authentication from firewall cluster B. Now all connections are coming through firewall cluster B. I believe this is related to the site topology that is downloaded to the clients, but the topology for the two firewall clusters are unique.
Reply With Quote
  #2 (permalink)  
Old 2007-08-03
Senior Member
  
Join Date: 2006-01-25
Posts: 920
Rep Power: 3
melipla has an average reputation (10+)
Default Re: SecuRemote Topology
Quote:
Originally Posted by bklyn1rr View Post
Users are authenticating to firewall cluster A but they are now receiving a second authentication from firewall cluster B. Now all connections are coming through firewall cluster B. I believe this is related to the site topology that is downloaded to the clients, but the topology for the two firewall clusters are unique.
Is there any overlap in the two vpn domains? If you're vpn domain has changed to a partially overlapping vpn domain since the site was created then that may cause topology differences for SecureClient.

Can users connect to either gateway to reach everything in the VPN Domain? A fully overlapping VPN domain may be a better solution where the user can select a profile that specifies which gateway to connect to.

One option is to identify which resource behind Gateway B SecureClient is trying to access and identify a way to stop SecureClient from accessing that resource either by changing it to Gateway A's VPN domain or by removing it from the VPN domains.
Last edited by melipla; 2007-08-03 at 08:51.
Reply With Quote
  #3 (permalink)  
Old 2007-08-03
Junior Member
  
Join Date: 2007-01-17
Posts: 5
Rep Power: 0
bklyn1rr has an average reputation (10+)
Default Re: SecuRemote Topology
The VPN encryption Domains are the same. Users can connect to either Cluster to reach resources. It you look at the client status for the connection it displays that they are connected to both clusters. Which explains why we are receiving double authentication. The securemote configuration hasn't changed for almost two years and the users was only authenticating to the cluster A, which is the primary cluster. The users are connections can connect to cluster B, but they will need to manually select cluster B.
Reply With Quote
  #4 (permalink)  
Old 2007-08-03
Senior Member
  
Join Date: 2006-10-23
Posts: 168
Rep Power: 3
Danielpb has an average reputation (10+)
Default Re: SecuRemote Topology
I would get one of you remote user to send you the user.c file and check the config. It might shed some light on the situation.
Reply With Quote
  #5 (permalink)  
Old 2007-08-03
Senior Member
  
Join Date: 2006-01-25
Posts: 920
Rep Power: 3
melipla has an average reputation (10+)
Default Re: SecuRemote Topology
Just throwing out ideas...

Any indication in SecureClient logs as to problems like tunnel test failure?

Anything in SecureClient Diagnostics that might indicate what cause the failover to the backup cluster?

Have the gateways been upgraded recently? Or any edge router changes that might impact traffic flow?

Does recreating the site in SecureClient affect which gateway it connects to?
Reply With Quote
  #6 (permalink)  
Old 2007-08-03
Junior Member
  
Join Date: 2007-01-17
Posts: 5
Rep Power: 0
bklyn1rr has an average reputation (10+)
Default Re: SecuRemote Topology
User.c file ---Changed the ip address
(
:options (
:predefined_profiles_only (false)
:predefined_sites_only (false)
:enable_log_collection (true)
:default_key_scheme (isakmp)
:connect_mode_erase_pwd_after_update (true)
:active_resolver (true)
:resolver_ttl (0)
:resolver_session_interval (0)
:silent_topo_update (false)
:use_entelligence (false)
:manual_slan_control (true)
:user_manual_gui_control (true)
:user_manual_cli_control (true)
:encrypt_db (false)
:gettopo_port (264)
:force_udp_encapsulation (true)
:force_sr_route_through_gw (false)
:no_clear_tables (false)
:allow_clear_in_enc_domain (false)
:use_ext_auth_msg (true)
:use_ext_logo_bitmap (true)
:pwd_erase_on_time_change (false)
:enable_kill (true)
:enable_mode_switching (true)
:enable_sounds (true)
:sdl_max_wait (-1)
:ChangeIKEport (true)
:ChangeUDPsport (true)
:topology_over_IKE (true)
:reload_lmhosts_on_topology (false)
:mac_xlate (false)
:mac_xlate_interval (90)
:connect_mode (false)
:allow_clear_traffic_while_disconnected (false)
:block_conns_on_erase_passwords (false)
:disconnect_on_dialup_change (true)
:disable_mode_transition (false)
:connect_domain_logon (false)
:sdl_main_timeout (120000)
:sdl_main_timeout_user (0)
:sdl_main_silent_timeout (false)
:show_disabled_profiles (false)
:silent_update_on_connect (false)
:stop_connect_when_silent_update_fails (false)
:suppress_dialog_when_creds_available (false)
:go_online_days_before_expiry (0)
:go_online_always (false)
:implicit_disconnect_threshold (180)
:connect_api_support (false)
:disconnect_on_IKE_SA_expiry (false)
:suppress_ike_keepalive (false)
:use_ext_logo_bitmap (true)
:active_test (
:0 (
:test_name (ping_loopback)
:test_parameters ()
)
:1 (
:test_name (ping_def_gw)
:test_parameters ()
)
:2 (
:test_name (dttunneltest)
:test_parameters ()
)
)
:sda_implicit (false)
:sda_implicit_frequency (10080)
:disable_split_dns_when_disconnected (true)
:disable_split_dns_in_om (true)
:message_viewer_max_size (10)
:tcpt_settings (no_proxy)
:tcpt_proxy_address ()
:tcpt_proxy_port (0)
:tcpt_proxy_username ()
:tcpt_proxy_password ()
:ie_proxy_replacement (true)
:ie_proxy_replacement_limit_to_tcpt (true)
:pmtu_max (1350)
:open_full_diagnostic_tool (false)
:fail_connect_on_tt_failure (false)
:tt_failure_show_notification (false)
:simplified_client (false)
:simplified_client_route_all_traffic (false)
:simplified_client_terminate_on_invalid_params (true)
:disable_icf_on_connect (manual)
:api_manual_slan_control (false)
:disconnect_when_in_enc_domain (true)
:suppress_all_balloons (false)
:allow_to_change_3rd_party_auth_type (false)
:support_rsa_soft_tokens (true)
:hotspot_enabled (true)
:hotspot (
:enabled (false)
:log (false)
:connect_timeout (600)
:max_ip_count (5)
:local_subnets (false)
:ports (
: (80)
: (443)
: (8080)
)
:block_hotspot_after_connect (false)
:max_trials (0)
)
:disable_split_dns_upon_disable_site (true)
:active_connection_method_detection (true)
:desktop_policy_control (
:extended_control (false)
:smartdefense_enabled (false)
:scv_dynamic_updates_enabled (false)
:smartdefense_manual_control (true)
:scv_manual_control (true)
)
:user_language (0)
:user_language_manual_control (true)
:prompt_for_no_suitable_profile (true)
:slan_enabled (false)
:global_force_udp_encapsulation (false)
:global_support_tcp_ike (false)
:global_support_tcpt (false)
:global_sr_route_through_gw (false)
:support_tcp_ike (true)
:support_tcpt (false)
:sr_route_through_gw (false)
:support_ip_assignment (false)
)
:gws (
: (1.1.24.203.abcNHO-cal-FW-Cluster
:obj (
: (1.1.25.203)
)
:keymanager (
:type (refobj)
:refname ("#_1.1.24.203")
)
:ifaddrs (
: (1.1.25.203)
: (10.1.25.203)
: (172.31.25.1)
: (172.31.25.2)
: (1.1.25.201)
: (10.1.25.201)
: (1.1.25.202)
: (10.1.25.202)
)
:topology (
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.0.0)
:type (network)
:ipaddr (10.0.0.0)
:ipmask (255.0.0.0)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.1.0)
:type (network)
:ipaddr (1.1.25.201)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.1.1)
:type (network)
:ipaddr (1.1.25.202)
:ipmask (255.255.255.254)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.2.0)
:type (network)
:ipaddr (172.17.0.0)
:ipmask (255.255.0.0)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.3.0)
:type (network)
:ipaddr (172.31.25.1)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.3.1)
:type (network)
:ipaddr (172.31.25.2)
:ipmask (255.255.255.255)
)
)
:fwver (6.0)
:option_pack (3)
:firewall (installed)
:uencapport (2746)
:certificates (
: ("O=abcnho-fwms..3hrymp"
: ("CN=abcNHO-cal-FW-Cluster VPN Certificate,O=abcnho-fwms..3hrymp")
)
)
:is_isakmp (true)
:is_subnet_support (true)
:ISAKMP_hybrid_support (true)
:supports_tcp_ike (use_site_default)
:keep_DF_flag_SR (false)
:copy_DF_flag_SR (false)
:peers ()
:gw_support_nat_t (true)
)
: (1.1.24.203.abcNHO-FW-Cluster
:obj (
: (1.1.24.203)
)
:keymanager (
:type (refobj)
:refname ("#_1.1.24.203")
)
:ifaddrs (
: (1.1.24.203)
: (10.1.6.203)
: (10.1.5.203)
: (10.1.1.203)
: (172.31.24.1)
: (172.31.24.2)
: (10.1.1.201)
: (10.1.5.201)
: (10.1.6.201)
: (1.1.24.201)
: (10.1.1.202)
: (10.1.5.202)
: (10.1.6.202)
: (1.1.24.202)
)
:topology (
: (
:name (1.1.24.203.abcNHO-FW-Cluster.0.0)
:type (network)
:ipaddr (10.0.0.0)
:ipmask (255.0.0.0)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.1.0)
:type (network)
:ipaddr (1.1.24.201)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.1.1)
:type (network)
:ipaddr (1.1.24.202)
:ipmask (255.255.255.254)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.2.0)
:type (network)
:ipaddr (172.17.0.0)
:ipmask (255.255.0.0)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.3.0)
:type (network)
:ipaddr (172.31.24.1)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.3.1)
:type (network)
:ipaddr (172.31.24.2)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-FW-Cluster.4.0)
:type (network)
:ipaddr (209.135.47.160)
:ipmask (255.255.255.224)
)
)
:fwver (6.0)
:option_pack (3)
:firewall (installed)
:uencapport (2746)
:certificates (
: ("O=abcnho-fwms..3hrymp"
: ("CN=abcNHO-FW-Cluster VPN Certificate,O=abcnho-fwms..3hrymp")
)
)
:is_isakmp (true)
:is_subnet_support (true)
:ISAKMP_hybrid_support (true)
:supports_tcp_ike (use_site_default)
:keep_DF_flag_SR (false)
:copy_DF_flag_SR (false)
:peers ()
:includes (1.1.24.203.abcNHO-cal-FW-Cluster
:obj (
: (1.1.25.203)
)
:keymanager (
:type (refobj)
:refname ("#_1.1.24.203")
)
:ifaddrs (
: (1.1.25.203)
: (10.1.25.203)
: (172.31.25.1)
: (172.31.25.2)
: (1.1.25.201)
: (10.1.25.201)
: (1.1.25.202)
: (10.1.25.202)
)
:topology (
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.0.0)
:type (network)
:ipaddr (10.0.0.0)
:ipmask (255.0.0.0)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.1.0)
:type (network)
:ipaddr (1.1.25.201)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.1.1)
:type (network)
:ipaddr (1.1.25.202)
:ipmask (255.255.255.254)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.2.0)
:type (network)
:ipaddr (172.17.0.0)
:ipmask (255.255.0.0)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.3.0)
:type (network)
:ipaddr (172.31.25.1)
:ipmask (255.255.255.255)
)
: (
:name (1.1.24.203.abcNHO-cal-FW-Cluster.3.1)
:type (network)
:ipaddr (172.31.25.2)
:ipmask (255.255.255.255)
)
)
:fwver (6.0)
:option_pack (3)
:firewall (installed)
:uencapport (2746)
:certificates (
: ("O=abcnho-fwms..3hrymp"
: ("CN=abcNHO-cal-FW-Cluster VPN Certificate,O=abcnho-fwms..3hrymp")
)
)
:is_isakmp (true)
:is_subnet_support (true)
:ISAKMP_hybrid_support (true)
:supports_tcp_ike (use_site_default)
:keep_DF_flag_SR (false)
:copy_DF_flag_SR (false)
:peers ()
:gw_support_nat_t (true)
)
:gw_support_nat_t (true)
)
)
:managers (
: (1.1.24.203
:obj (
:type (node)
: (1.1.24.203)
)
:dnsinfo (
:dns_servers (
: (SecuRemote-DNS2
:obj (
: (10.110.23.133)
)
:domain (
: (
:domain (.abc.org)
:dns_label_count (5)
)
: (
:domain (.land.abc)
:dns_label_count (3)
)
: (
:domain (.link.org)
:dns_label_count (3)
)
)
:topology ()
)
: (SecuRemote-DNS
:obj (
: (10.110.23.80)
)
:domain (
: (
:domain (.abc.org)
:dns_label_count (5)
)
: (
:domain (.land.abc)
:dns_label_count (3)
)
: (
:domain (.link.org)
:dns_label_count (3)
)
)
:topology ()
)
)
:encrypt_dns (false)
)
:MgmtInternalCA (
:public (
:value (03)
)
:modulus (
:value (f9a34bf104b1111bf263c2ded321d4bbd681cb3d333951b8c 9a8815c35af5e4b905dd0d36c1605a8fd6e92f1ba42177e1f1 6ea73e6132247210353901aa660ceee9f0bf9a731ca08563ed bbd6e77949e1ce3ae01575addfcfb4294a4072a21a4d768376 606b38f1cd408827f51182e6f18ca2f91083decb5c9977e815 f93d6d3b9309e070736da76afa72de657dd141f14130c2b31b a8d4eaf7960913bf8e7e09b1d09d7f745515b729a28b255e2b 2a2b8bdf4c75da4d1091049b27c6bb02c632779ab0653d392c d3777e61430167ff30ed634a44d8475a228c9a203162af9b55 047090052bf3e90e792a89c76f4343a2e5f3265d23df6ba99a d7cf071966d8d)
)
:cert (959042cb55e844ca7f74beb1dddab1f9e78cddde90ef223f9 1ae115a9be4e2a120562a081493b8fbbbd77a6ba68e3069e7d 4b4f4b47509bab3ee97da9d042e78f83daec3ee83b3834ac18 53ad9f5aba40873b7d9bdf0ae524586883a052f392b99d9d14 c0af4a2c5601c4dc86f07b03ff14ef639e30541fa731496c6b d72661b904f4cfdc4f309ed98ae2495920156ef9f250e6b8b0 2bb2da45c8d6995d67999e794d3ad41c9db082d8d8e507c436 a6af85e5aca97cb18669cf7c37634a10a2dfcc9b8470dc35c9 d77ffa0f9ae335014a7e327f02b134ae34696466ff27565bf3 f9085c81f3b8900df35728e3f795886a3c2af6a71d5b1a4dd5 97f3693afc685000101820300050501010df78648862a09060 d308601020304040001010f1d5503060e30ff010103300504f f0101131d5503060f30213023a30301028d6d9671f07cad99b af63dd265325f2e3a34f4769ca892e7903ebf5200094750b5f 92a1603a2c928a275844da434d60ef37f163014e67737cd92d 35306ab7927632cb06b7cb2491009d1a45dc7f4bdb8a2b2e25 5b2289a725b5145f7d7091d9be0e7f83b916079af4e8dba312 b0c13141f14dd57e62da7af76da3607079e30b9d3d6935f817 e97c9b5ec3d08912fca186f2e18517f8208d41c8fb30666376 8d7a4212a07a49442fbfcdd5a5701aee31c9e94776ebddb3e5 608ca31a7f90b9feece60a61a90530321472213e673ea161f7 e1742baf1926efda805166cd3d05d904b5eaf355c81a8c9b85 1a9333dcb81d6bbd421d3dec263f25b11b104f14ba3f900010 1820208018230000d01820300050101010df78648862a09060 d3020018230706d797268332e2e736d77662d6f686e7363611 3130a045503061a301c311e305a36343333323036323830333 20d175a3634333332303133383033300d171e30706d7972683 32e2e736d77662d6f686e73636113130a045503061a301c311 e3000050501010df78648862a09060d3001010202010203a0c 0018230d8028230)
:dn ("O=abcnho-fwms..3hrymp")
:date (3f52b197)
)
:last_auth_method (hybrid-ike)
:date (46aa4032)
:disable (false)
:disconnect_on_token_removal (false)
:to_expire (false)
:expire (120)
:cache_passwords (false)
:update_topo_at_start (false)
:policy_expire (60)
:crl_start_grace (5400)
:crl_end_grace (5400)
:sr_dont_check_crl (false)
:PS_HA (true)
:PS_LB (false)
:keep_alive (false)
:keep_alive_interval (20)
:silent_topo_update (true)
:site_default_tcp_ike (true)
:topology_over_IKE (true)
:ike_negotiation_timeout (36)
:phase2_proposal (large)
:phase2_proposal_size (small)
:vpn_peer_ls (false)
:ike_support_dos_protection (true)
:ike_dos_protection (puzzles)
:ike_dos_acceptable_puzzle_level (19)
:ike_dos_max_puzzle_time (5000)
:enable_automatic_policy_update (false)
:silent_policy_update (false)
:automatic_policy_update_frequency (10080)
:skip_automatic_policy_update_if_authentication_re quired (true)
:renew_users_ica_cert (true)
:upgrade_fp1_and_below_users_ica_cert (true)
:renew_users_ica_cert_days_before (60)
:sda_implicit (false)
:sda_implicit_frequency (10080)
:allow_clear_traffic_while_disconnected (true)
:send_clear_traffic_between_encryption_domains (false)
:post_connect_script_show_window (false)
:trust_all_capi_cas (false)
:user_certs_key_size (1024)
:update_frequency (604800)
:phase1_dhgrp ("Group 2 (1024 bit)"
:DH_group_number (2)
:mod (
:value (ffffffffffffffffc90fdaa22168c234d4d6628b80dc1cd12 9024e088a67dd74020bbea63b139b22514a08798e3404ddef9 519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b 576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bf b5a899fa5ae9f24117c4b1fe649286651ece65381fffffffff fffffff)
)
:modsize (1024)
:private_key_length (192)
:root (
:value (02)
)
:rootsize (2)
:type (IKE_DH_parameters)
)
:management_ver (
:option_pack (3)
:cpver (6.0)
)
:active_test (
:0 (
:test_name (ping_loopback)
:test_parameters ()
)
:1 (
:test_name (ping_def_gw)
:test_parameters ()
)
:2 (
:test_name (dttunneltest)
:test_parameters ()
)
)
:silent_update_on_connect (false)
:stop_connect_when_silent_update_fails (false)
:single_om_per_site (false)
:disconnect_when_in_enc_domain (true)
:use_profile_ps_configuration (false)
:cache_password (false)
:use_cert (false)
:pwd_type (true)
:certfile_need_pin (false)
:auth_type (0)
:securid_type (0)
:last_used_gw (abcNHO-FW-Cluster)
:should_have_ike_sa_on_connect (false)
:download_topo_from_ip (0x0ca819cb)
:partial_topo (false)
:phase2_aes_key_size (128)
:ie_proxy_replacement (false)
:ie_proxy_replacement_limit_to_tcpt (true)
:enable_log_collection (true)
:hotspot (
:ports (
: (443)
: (80)
: (8080)
)
:block_hotspot_after_connect (false)
:connect_timeout (600)
:enabled (false)
:is_dirty (false)
:local_subnets (false)
:log (false)
:max_ip_count (5)
:max_trials (0)
)
:simplified_client_route_all_traffic (false)
:disable_MEP (false)
:scv_allow_sr_clients (false)
)
)
:policy_servers ()
:sds_servers ()
:profiles (
:active_profile (1.1.24.203)
:active_gw (abcNHO-FW-Cluster)
: (1.1.24.2032
:attributes (
:read_only (false)
:description ("1.1.24.203 default profile")
)
:options (
:support_tcp_ike (true)
:force_udp_encapsulation (true)
:support_tcpt (false)
:support_ip_assignment (false)
:sr_route_through_gw (false)
:ps_ha_scheme (ps_pool)
)
:gateways ()
:policy_servers ()
:site (1.1.24.203)
)
: (1.1.24.203
:attributes (
:read_only (false)
:description ("1.1.24.203 default profile")
)
:options (
:support_tcp_ike (true)
:force_udp_encapsulation (true)
:support_tcpt (false)
:support_ip_assignment (false)
:sr_route_through_gw (false)
:ps_ha_scheme (ps_pool)
)
:gateways (
: (1.1.24.203.abcNHO-FW-Cluster
:name (1.1.24.203.abcNHO-FW-Cluster)
:ipaddr (1.1.24.203)
:active (true)
)
)
:policy_servers ()
:site (1.1.24.203)
)
: (1.1.24.2031
:attributes (
:read_only (false)
:description ("1.1.24.203 default profile")
)
:options (
:support_tcp_ike (true)
:force_udp_encapsulation (true)
:support_tcpt (false)
:support_ip_assignment (false)
:sr_route_through_gw (false)
:ps_ha_scheme (ps_pool)
)
:gateways (
: (1.1.24.203.abcNHO-FW-Cluster
:name (1.1.24.203.abcNHO-FW-Cluster)
:ipaddr (1.1.24.203)
:active (true)
)
)
:policy_servers ()
:site (1.1.24.203)
)
)
)
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 00:04.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0