Hello Sergio, I never seen such problem but... As I know in latest CP versions the worst thing can be done in order to stop voice traffic is changing advanced proto settings to "none". Usually things can help is configuring voice "by the book", with my experience with SIP - it working in 85% of cases. I mean configuring voice domain and etc... One more thing you can try for test - install Endpoint Connect R75.10 and test with it. Generally it is using the same 443 in order to connect, just different client and more options for configuration. Alexey
On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez <seral...@gmail.com> wrote: > Hello. > > This cutomer of ours has an active/standby SPLAT cluster with SNX enabled > (bear in mind there is no Connectra involved here), everything worked > perfect until a migration from R70.20 to R75 was done and since then, SNX > users getting conencted to the cluster can access all services they used to > with the exception of a VoIP service (H323), they can even ping to the > server related but the application just won't work. No config changes had > been done since it was working ok. > > Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a > test user, the drops show no rule related and the info says: "dst scheme: > NA; dst methods: SSL; route status: Failed to enforce VPN policy (8)" I > looked for that message and found something similar related with an > encryption problem not related with this scenario. > > Did a zdebug to find out what was dropped and found a few extra messages > like the ones bellow: > > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 -> > Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce > VPN policy (8); > > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 -> > X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have > to be tunneled; > > Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the > IP of the VoIP server. > > We could not find anything about those either. A case is opened already with > CP support but no answers have been received and the situation is becoming > more critical as time goes by. > > It was already checked the rule allowing the traffic is specific on H323 on > the "service" section and also to change to "none" the advanced properties > of the H323 service object, but with no luck. > > Has anybody seen something like this before. > > Any help will be very appreciated. > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
