PDA

View Full Version : SecureClient working with NGX



djbutler
2005-12-22, 09:10
Hi, I'm after help with a problem of SecureClient working to firewalls installed with NGX. Remote users were working ok to NG_AI but failed once the firewalls were upgraded to NGX. When reverted back to NG_AI access ok again.
Subsequent testing implied that the problem was with the IKE Phase1 key exchange (default using UDP 500). The SecureClient diagnostics showed the failure, with an error 108.
Also we found that the problem only occued if the firewall was a member of a cluster object. If used as a single firewall object it worked ok. It also worked as a cluster member if IKE over TCP was used. The NGX fix has been applied to both the management server and firewall.
Checkpoint is running on Nokia's using ipso 3.9

chillyjim
2005-12-22, 09:26
What version of SC are you using?

Are you using IPSO cluster or ClusterXL?

What "mode" (Unicast/pivot or Multicast/New-mode)?

Try it with pivot mode if you're not using that. Multicast mode still has problems with some switch/routers that are not fully RFC complient with the multicast specs.

-jlh

djbutler
2005-12-23, 06:05
Jim

Thanks for the reply. The SC being used is R56. We're not using either IPSO clustering or ClusterXL. The firewall's (Nokia IP530 hardware) are setup in a simple failover pair using monitored cct. This works fine in NG_AI.

david

chillyjim
2005-12-23, 08:18
Making sure I under stand....

R60 VPN-1 on IPSO 3.9 w/ VRRP HA

R56 SC/SR

Works with TCP encapcilation but fails with just UDP encap.
========

Did you try the R60 SC/SR? I can't find any refference to that error but I don't have access to the Nokia KB.

djbutler
2006-01-04, 11:05
Jim, Firewalls are IP530 running IPSO 3.9. They are set up as a HA pair using vrrp monitored cct. When using NG_AI vpn access using SecurClient works fine. Upgrading to NGX access fails, not even able to create site, using default of UDP IKE. If IKE over TCP is used site creates ok. No difference whether SC R56 or R60 used.
In a test enviroment with a single firewall at NGX vpn access ok. If that firewall is made a member of a cluster access fails.

chillyjim
2006-01-04, 14:18
Using IKE over TCP does everything keep working after the site is created?

I seem to remember something about IKE UDP and cluster problems, but I don't remember it being an R60 issue. I'll take another look through the KB.

-jlh

djbutler
2006-01-06, 09:45
Jim, using IKE over TCP the site is created and then you are able to login ok

Sergej
2006-01-06, 13:58
Jim, using IKE over TCP the site is created and then you are able to login ok

Are the users stored locally or on LDAP server?

djbutler
2006-01-10, 06:19
Are the users stored locally or on LDAP server?


Users are stored locally

chillyjim
2006-01-10, 12:14
Jim, using IKE over TCP the site is created and then you are able to login ok

I can't find the KB number, but this is one of the things IKE over TCP is meant to take care of.

If it works with IKE/TCP, is using that an issue?

-jlh

djbutler
2006-01-13, 11:18
I can't find the KB number, but this is one of the things IKE over TCP is meant to take care of.

If it works with IKE/TCP, is using that an issue?

-jlh

Jim, At present remote users are working fine through NG_AI firewalls and to be honest I don't want them making changes to settings.