[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Help please: VPN failover not working
Hi everyone... this one is complicated hope there's any guru out there with a little of time. I'm having difficulties with VPN failover with a 2 node cluster with checkpoint FW-1 and Stonebeat. When I try to set one of the nodes offline I get an error: "encryption failure: Packet is dropped as there is no valid sA" Data: FW-1 version: Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 1 Build 51129 Stonebeat version: 3.0 (Build 3031) + SP1 + HF 1-5 OS: Solaris 8 32b Identical nodes. Identical software on management station. I thought that there was a problem with sync but nodes seem to sync well. Failover of standard sessions works ok. I then thought that there was a problem syncing only the SA but I used "vpn tu" command on both nodes and both IKA SAs and IPsec SAs are the same on both nodes of the cluster... so it seems that SA info IS really getting synced correctly. I see the followng errors on the messages log file on the nodes when trying to failover: Aug 28 12:33:09 cerberuse1 fw: [ID 899376 kern.notice] post_sync_outbound_sa_tab: added dummy entry for LS Aug 28 12:34:07 cerberuse1 fw: [ID 340482 kern.notice] ERROR: del_outbound_spi_from_msa: could not get msa kbuf Aug 28 12:34:07 cerberuse1 fw: [ID 999858 kern.notice] fwipsec_free_outbound_SA: failed to delete from MSA Aug 28 12:34:07 cerberuse1 fw: [ID 271080 kern.notice] decrement_MSPI_ref_count: could not get kbuf for mspi 0 Aug 28 12:34:07 cerberuse1 fw: [ID 855040 kern.notice] fwipsec_free_outbound_SA: ref count error Seems to me there's a problem managing SA information on fw kernel but I am at a total loss as to how this could be fixed. One other clue which maybe helps is the following list of SPI's obtained with "vpn tu" command: ALL IPSEC SA ------------ -------- Inbound -------- Peer: 147.83.204.131 SPI: 94743601 Peer: 147.83.204.131 SPI: 94743603 Peer: 147.83.204.131 SPI: 94743605 Peer: 147.83.204.131 SPI: 1ec59c14 -------- Outbound -------- Peer: 147.83.204.131 SPI: 917134bd Peer: 147.83.204.131 SPI: 917134be Peer: 147.83.204.131 SPI: 917134bc Peer: 147.83.204.131 SPI: 917134ba Is is normal to have multiple SPI's per peer? Should there be only one SPI per peer? Not very sure if this is an error or not really, just trying to give as much info as possible. I do know that the configuration should work because a have an identical cluster which is working but I have set up this cluster the same way and I'm missing something which I just can't seem to find now... Any help, comment, guide, whatever would be _VERY_ much appreciated! Thank you for your time in advance. Matías Bevilacqua. ____________________________________________________________________________ ______________ Matías Bevilacqua Trabado esCERT-UPC ___________________________________________________________________ PGP-ID: 0x3FFD6E18 PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716 D9DF 3CE7 E88D 3FFD 6E18 ___________________________________________________________________ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|