[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages
Thanks for all who have contributed advice. Unfortunately I still don't have a working solution. I installed another test NT server running CP 4.1 SP5 on the same networks, using the identical Checkpoint policy and the same Netscreen box and policy on the other end, and the VPN site-to-site came up fine with both Phase 1 and Phase 2, and traffic was encrypted. The MTU sizes on the NIC cards were set the same - only items different from the production box were the IP addresses on the interfaces and the NT 4.0 SP5 on the test box instead of NT SP6a. The production box had an accelerator card (Broadcom), and I removed that, and had the same problem. I even reinstalled Checkpoint 4.1 from scratch on the production server with the appropriate SPs and Hotfixes, copying over only the rulebases.fws, objects.C, standard.W, and the fwauth.NBD files, from the original install, and I got the same results. Since I also tried another CP firewall on a different ISP and got that one working, it must be something specific with this server. I discovered that a couple Securemote users on Ethernet connections seem to be having connection timeout problems, and I saw similiar Payload malformed messages for them in the log viewer. However, the connections do go through most of the time, another CP to CP site-to-site connection on the production box is working fine. Below is summary of the log viewer message sequence (CP Checkpoint, NS Netscreen) Action Source Destination Info key install CP FW NS FW IKE Log: Phase 1 completion 3DES/SHA1/Pre-Shared secrets.... key install CP FW NS FW Combined ESP: 3DES+SHA1 (Phase 2 completion) for subnet: CP subnet & NS subnet encrypt CP Internal PC NS Internal PC icmp-type 8 IKE Methods: Combined ESP: 3DES+SHA1 key install CP FW NS FW IKE Log: Received Notification from Peer: Payload Malformed... key install CP FW NS FW IKE Log: Received Delete SA from Peer: NS IP .... ============================ Dave Parmer Senior Network Engineer Distributed Systems Services [email protected] "Bullock, Jason" <JBullock@rmhteleser To: "'[email protected]'" <[email protected]> vices.com> cc: Subject: RE: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages 01/18/2002 12:08 PM -----Original Message----- From: Lloyd J. Rochon III [mailto:[email protected]] Sent: Thursday, January 17, 2002 07:46 PM To: [email protected] Subject: Re: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages Dave, What Netscreen OS are you using? Lloyd J.Rochon III Avantcom Network, Inc Network Engineering Manager CCIE, CCSE, CISSP, MSCE + I, MCT, CNE, NETWORK +, A+, ASEOfficeCell www.avantcom.net Dave, I am seeing a similar issue with a point to point connection. Did you get any good feedback? Jason Bullock Senior Network Engineer Network Services RMH Teleservices Inc. 40 Morris Ave Bryn Mawr, PA 19010 pxt.273 e. [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, January 15, 2002 10:12 AM To: [email protected] Subject: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages Hello, We are having trouble for the past few weeks trying to get a Netscreen 5 to an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. Generally IKE Phase 1 completes between the firewalls, but only very infrequently does IKE Phase 2 compete between the firewalls, according to the Checkpoint and Netscreen logs. When Phase 2 does complete, outbound traffic is encrypted but the return decrypts do not come back. We have encryption schemes identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes. When Phase 2 does not complete, messages in the log viewer include "Received delete SA from Peer" and "Received Notification from Peer: payload malformed", with the source address being the Checkpoint firewall and the destination being the Netscreen. Just for kicks, we tried creating a VPN connection to two other Checkpoint 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5) using the same Netscreen 5 box with identical encryption properties, and both Phase 1 & Phase 2 became operational, and traffic was being encrypted and decrypted in both directions. Thus I eliminated the possibility that the Netscreen may be the issue. I then compared a few files on the various firewalls (crypt.def, objects.C), and could not find anything except cosmetic items that were different. I also tried the various debugging tools (fw monitor, fw -d d, FWIKE_DEBUG), and have examined the resultant file output, and was not able to decipher anything enlightening from these files, although I must admit that I don't know exactly what kind of packet flow or sequencing I should be looking for. Thanks in advance for any assistance. ============================ Dave Parmer Senior Network Engineer Distributed Systems Services [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|