[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN stopped working suddenly!!
Interesting problem. I was trying to specifically generate key exchange traffic when I saw none, but I was unsuccessful. What's the best way to do this other than pushing the policy and forcing SR updates? Thanks! ... Chris > -----Original Message----- > From: <Aaron Reynolds> [mailto:[email protected]] > Sent: Monday, September 16, 2002 5:11 PM > To: [email protected] > Subject: Re: [FW-1] VPN stopped working suddenly!! > > > Don't know about FP2, but 4.1 SP6 has a bug, in which the > isakmpd daemon > will run up CPU utilization and not recover. I got a bunch of the > "InvokeIsakmpServer: can't bind socket: Operation not > permitted" errors > during the initial troubleshooting of this. Check to see whether your > firewall responds to any key exchange traffic (udp 500). > Ours did not, > until we did a "kill -9" on the isakmpd PID. An > fwstop/fwstart would not > kill the isakmpd daemon, and that is when we would get the "can't bind > socket" errors. fwstart would try to start the daemon, when > it was already > running. Let me know. > > -Aaron > > -----Original Message----- > From: Chris Moore [mailto:[email protected]] > Sent: Monday, September 16, 2002 1:15 PM > To: [email protected] > Subject: [FW-1] VPN stopped working suddenly!! > > > Hello, > > All of a sudden, all VPN activity stopped without notice. > Here's the errors > I have observed (some never seen!): > > > ------------------------------------------------------------ > in FW1 log: > =========== > 1. (any VPN traffic) drop --> encryption failure: > Encryption/Decryption > failure > 2. (any VPN traffic) drop --> encryption failure: temporary > unavailable > resources > 3. (last FW1 specific entries) > 9/14 - 18:57 key install (SR user) > 9/14 - 19:05 decrypt (SR user) > 9/14 - 19:44 login (SR user) > 9/14 - 19:45 key install --> Internal_CA: > General CRL renewed > (???) > > debug info: > =========== > vpnd.elg --> InvokeIsakmpServer: can't bind > socket: Operation not > permitted > > fwd.elg --> fwauthd: cannot run server in.aufpd: > Authentication Services > are unavailable. Connection refused. > > fwd.elg --> fwsync: failed to read cluster sync mode! > ------------------------------------------------------------ > > > As for the fw.log entries, there have been no more "key > install" actions > since the date above (including site-site and site-client > VPN's). The SR > error is the same old "communication with site x.x.x.x has failed". > > Can anyone give me a clue as to what the problem might be? > > I've tried restarting the FW1 services (cprestart). I've > also checked the > routing tables and NAT rules...everything in order as always. > > My config: > ========== > FW1 NG-FP2 Build 52163 > Redhat 7.2 - kernel 2.4 > > > Thanks as always! > ... > Chris > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|