PDA

View Full Version : One Way Trust between Management and Enforcement Modules



Barry J. Stiefel
2005-08-14, 14:34
One Way Trust between Management and Enforcement Modules

Recently performed a firewall move which required change of xtr FW IP address. Along with that change, I renamed the host. In my rulebase I renamed the gateway object and updated its IP. I am now able to push a policy onto the gateway, but the gateway cannot fetch a policy from the EMC. fwstop/start on the gateway yields a failure. Likewise, the EMC rejects log files from the gateway with the error 'unknown established TCP packet.' When other gateways attempt to set their vpn links to this gateway, I see the error 'notification from peer: invalid id information id: 7c666121'...



any thoughts on how to rectify this? All host files were updated and resolution works back and forth. Everything is solaris 8 and 4.1.



Answer You're going to have to redo putkeys, plain and simple. For other troubleshooting tips, refer to PutkeysDontWork? (http://www.phoneboy.com/bin/edit.pl/FAQ/PutkeysDontWork?topicparent=FAQs.OneWayTrust)



Comments

The issue is resolved. Not sure about the mechanics of why, but after failed multiple putkey manipulations (which was done ad nauseum from the outset,) I ended up opening an Accept All policy on the EEC from the GW and it worked straight away. FW control connections were always accepted by default. Go figure.



-- RobertGraham (http://www.phoneboy.com/bin/view.pl/Main/RobertGraham) - 02 Feb 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: RemoteManagementFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/RemoteManagementFAQs), TroubleshootingFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/TroubleshootingFAQs) FAQs.OS: OsSolaris (http://www.phoneboy.com/bin/view.pl/FAQs/OsSolaris) FAQs.Version: