Hello Sergio, Actually there are lot of things were changed in R75 and R75.10 versions, that's why things previously were good can stop working now. The idea about use of endpoint connect needed just in order to understand if the problem is with client only or with whole FW+VPN deamon. In case the problem with client only - debug should be done on client, possible some new SNX release can solve it. Hope you have ticket opened with CP support and there is progress in it Alexey
On Thu, Jul 21, 2011 at 5:12 PM, Sergio Alvarez <seral...@gmail.com> wrote: > Hello Alexey. > > Thanks for your reply. Actually it was all working perfect before changing > version and the idea of changing the advanced settings in H323 to none was > something we tried because it has helped in the past to solve VoIP issues, > although it did not this time. > About trying with Endpoint Connect, the deal here is the customer > especifically acquired SNX licenses because they have hundreds of users on > the field requiring remote access to services, and installing a VPN software > client on each laptop had become a nightmare. Suggesting to go back to such > scenario won't be acceptable for them. > > Any further suggestions will be very appreciated. > > Regards > > On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov <drongt...@gmail.com>wrote: > >> Hello Sergio, >> I never seen such problem but... >> As I know in latest CP versions the worst thing can be done in order >> to stop voice traffic is changing advanced proto settings to "none". >> Usually things can help is configuring voice "by the book", with my >> experience with SIP - it working in 85% of cases. >> I mean configuring voice domain and etc... >> One more thing you can try for test - install Endpoint Connect R75.10 >> and test with it. Generally it is using the same 443 in order to >> connect, just different client and more options for configuration. >> Alexey >> >> On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez <seral...@gmail.com> >> wrote: >> > Hello. >> > >> > This cutomer of ours has an active/standby SPLAT cluster with SNX enabled >> > (bear in mind there is no Connectra involved here), everything worked >> > perfect until a migration from R70.20 to R75 was done and since then, SNX >> > users getting conencted to the cluster can access all services they used >> to >> > with the exception of a VoIP service (H323), they can even ping to the >> > server related but the application just won't work. No config changes had >> > been done since it was working ok. >> > >> > Logs show a few drops of H323 traffic from an Office Mode IP, assigned to >> a >> > test user, the drops show no rule related and the info says: "dst scheme: >> > NA; dst methods: SSL; route status: Failed to enforce VPN policy (8)" I >> > looked for that message and found something similar related with an >> > encryption problem not related with this scenario. >> > >> > Did a zdebug to find out what was dropped and found a few extra messages >> > like the ones bellow: >> > >> > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 -> >> > Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce >> > VPN policy (8); >> > >> > ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 -> >> > X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have >> > to be tunneled; >> > >> > Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is >> the >> > IP of the VoIP server. >> > >> > We could not find anything about those either. A case is opened already >> with >> > CP support but no answers have been received and the situation is >> becoming >> > more critical as time goes by. >> > >> > It was already checked the rule allowing the traffic is specific on H323 >> on >> > the "service" section and also to change to "none" the advanced >> properties >> > of the H323 service object, but with no luck. >> > >> > Has anybody seen something like this before. >> > >> > Any help will be very appreciated. >> > >> > -- >> > Sergio Alvarez >> > CISSP | CCSE+ >> > >> > ================================================= >> > To set vacation, Out-Of-Office, or away messages, >> > send an email to lists...@amadeus.us.checkpoint.com >> > in the BODY of the email add: >> > set fw-1-mailinglist nomail >> > ================================================= >> > To unsubscribe from this mailing list, >> > please see the instructions at >> > http://www.checkpoint.com/services/mailing.html >> > ================================================= >> > If you have any questions on how to change your >> > subscription options, email >> > fw-1-ow...@ts.checkpoint.com >> > ================================================= >> > >> >> >> >> -- >> Sincerely, >> >> Alexey Baltacov >> drongt...@gmail.com | Tel: +972-504989954 >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to lists...@amadeus.us.checkpoint.com >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> fw-1-ow...@ts.checkpoint.com >> ================================================= >> >> Scanned by Check Point Total Security Gateway. >> > > > > -- > Sergio Alvarez > CISSP | CCSE+ > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
