[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-sessi on
I'm forcing udp encapsulation by virtue of being generally skeptical of autonegotiation. By the same token, I would rather force a port on a switch into 100Mb-Full Duplex than hope the switch and the server/NIC can come to a common understanding. I'll pull out the forced mode and try it, but part of me hope it doesn't fix the issue. Thanks, -Brian > -----Original Message----- > From: Byoung Sun Yu [mailto:[email protected]] > Sent: Friday, January 12, 2001 10:47 AM > To: 'Minder, Brian'; [email protected] > Subject: RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp > mid-session > > > > I haven't seen this before, but let me suggest one thing. > Why do you force udp encapsulation? You don't have to force it. FW can > automatically detect whether it is behind the NAT device or > not. There are > some exceptions that NAT devices which does not change port > number even in > Hide NAT. In such cases, you might want to 'force' it. But in > general, you > are not supposed to use forced mode for encapsulation. > > So I suggest to try without forced mode. But I'm just > suggesting this to see > if there is any difference and to find any work around to > this problem. > > In my experiences, CP's product on W2K needs to be more > polished regardless > it is FW or SR. I wouldn't be suprised if you see this kind > of weirdness. > > Thanks, > > Sun Yu, CISSP > Lucent Worldwide Services > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]]On Behalf Of > > Minder, Brian > > Sent: Friday, January 12, 2001 8:39 AM > > To: [email protected] > > Subject: [FW1] SecuRemote 4166/Win2K changes from udp to esp > > mid-session > > > > > > > > > > I'm testing SecuRemote build 4166 on Win2K and I've noticed > consistent > > oddness. While I have "force_udp_encapsulation (true)" on > > the client, the > > session seems to change back and forth from udp to esp over > > time. Clients > > with routable addresses continue to function, but this breaks > > clients who > > are connecting from behind a NAT device. Anyone have any > > insight as to what > > might cause this? I am not experiencing this issue with other > > builds/platforms. Dumps of portions of the session are below. > > > > Thanks, > > > > -Brian > > > > Here's the problem environment: > > > > P440 running 4.1-SP2/IPSO-3.2.1 > > Hybrid IKE w/ TACACS > > Win2K SP1 w/ SecuRemote 4166 with "force_udp_encapsulation (true)" > > > > > > > > The symptoms are: > > > > The client connects, is challenged, and authenticates. > Everything is > > working great, sometimes for quite a while. A tcpdump of the > > connection > > shows something like the following: > > > > 13:23:34.332713 roadwarrior.2746 > myfirewall.2746: udp 196 > > 13:23:34.335601 myfirewall.2746 > roadwarrior.2746: udp 588 > > 13:23:34.688933 roadwarrior.2746 > myfirewall.2746: udp 148 > > 13:23:34.689969 myfirewall.2746 > roadwarrior.2746: udp 172 > > 13:23:34.989065 roadwarrior.2746 > myfirewall.2746: udp 172 > > 13:23:34.989882 myfirewall.2746 > roadwarrior.2746: udp 108 > > > > After some period of time there's some keying traffic, and > > the session is > > suddenly over esp! At this point a client who is connecting > > from behind a > > NAT device gets the message "Connection with site SITENAME > > has failed" and > > has to reboot (not just restart SecuRemote) to reconnect. > > > > 13:32:51.297712 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 42fd0406 len: 164 > > 13:32:51.300268 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 5dc43f5f len: 60 > > 13:32:51.311456 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 42fd0406 len: 60 > > 13:32:51.339565 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 5dc43f5f len: 60 > > 13:32:51.428555 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 42fd0406 len: 60 > > 13:32:51.538545 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 > > exchange QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 42fd0406 len: 60 > > 13:33:08.798800 esp roadwarrior > myfirewall spi 0x9B73C1CA > > seq 1 len 124 > > 13:33:08.799560 esp myfirewall > roadwarrior spi 0x90B9CDF6 > > seq 1 len 124 > > 13:33:09.134993 esp roadwarrior > myfirewall spi 0x9B73C1CA > > seq 2 len 76 > > 13:33:15.235756 esp roadwarrior > myfirewall spi 0x9B73C1CA > > seq 3 len 452 > > 13:33:15.249257 esp myfirewall > roadwarrior spi 0x90B9CDF6 > > seq 2 len 84 > > 13:33:41.612521 esp roadwarrior > myfirewall spi 0x9B73C1CA > > seq 4 len 124 > > 13:33:41.613161 esp myfirewall > roadwarrior spi 0x90B9CDF6 > > seq 3 len 124 > > 13:33:41.979623 esp roadwarrior > myfirewall spi 0x9B73C1CA > > seq 5 len 76 > > > > Even better, sometimes after a rekey the client is using udp > > encapsulation > > while the FW is using esp, or vice versa: > > > > 13:51:12.284988 roadwarrior.isakmp > myfirewall.773: isakmp > > v1.0 exchange > > QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 14cd7e32 len: 60 > > 13:51:12.374089 myfirewall.773 > roadwarrior.isakmp: isakmp > > v1.0 exchange > > QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 7e5149e2 len: 60 > > 13:51:12.385145 roadwarrior.isakmp > myfirewall.773: isakmp > > v1.0 exchange > > QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 14cd7e32 len: 60 > > 13:51:12.484044 myfirewall.773 > roadwarrior.isakmp: isakmp > > v1.0 exchange > > QUICK_MODE encrypted > > cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: > > 7e5149e2 len: 60 > > 13:51:19.253692 esp roadwarrior > myfirewall spi 0x9B73C1CD > > seq 1 len 452 > > 13:51:19.265618 myfirewall.2746 > roadwarrior.2746: udp 76 > > 13:51:44.409883 esp roadwarrior > myfirewall spi 0x9B73C1CD > > seq 2 len 124 > > 13:51:44.410559 myfirewall.2746 > roadwarrior.2746: udp 116 > > 13:51:44.810868 esp roadwarrior > myfirewall spi 0x9B73C1CD > > seq 3 len 76 > > 13:52:17.206839 esp roadwarrior > myfirewall spi 0x9B73C1CD > > seq 4 len 124 > > 13:52:17.207597 myfirewall.2746 > roadwarrior.2746: udp 116 > > 13:52:17.545791 esp roadwarrior > myfirewall spi 0x9B73C1CD > > seq 5 len 76 > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|