We have similar issue on R62. We opened service request and CP guys are working on that problem. In our case Outgoing VM is dropping packets. When I will get update, I will send email to this list. After performing kernel debugs, it seems, that problem is related to connection table link creations for ESP traffic.
We have Cisco VPN concentrator in DMZ. AndrejS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Tuesday, June 05, 2007 3:35 PM To: [email protected] Subject: [FW-1] Terminating VPN traffics through the Checkpoint NGx R61 with HFA_01 and ESP traffics R1---CPNGxR61-Internet---VPN_device R1 is sitting behind the CP NGx R61 with HFA_01. R1 has a private ip address of 10.102.160.36 and it is one-to-one NAT by the CP firewall to have a public ip address of 4.2.2.2. VPN_device sitting on the Internet with public IP address of 129.174.1.10. This VPN_device can be a Cisco router or Checkpoint SPLAT box NGx R61 with HFA_01. The ruleset on the firewall is wide open between R1 and VPN_device and bi-directional. I am trying to setup a site-2-site vpn between R1 and VPN_device. The issue is that I am seeing about 50% packet loss with the vpn traffics. Running tcpdump on the firewall, I see 100% of ESP traffics getting to the CP firewall External interface but only 50% of ESP traffics exiting the Internal interface going to R1. Basically I am getting about 50% packet loss. If the VPN_device is a cisco device, I can enable udp 4500 (aka nat-t) on both cisco devices, I get NO packet loss. When I switch to ESP, I get 50% packet loss, doesn't matter if the VPN_device is a cisco or SPLAT box. Of course with SPLAT box, I can only do ESP and not udp 4500. If I replace the CPNGxR61 with CP NG Feature Pack 3 with HFA_327, I have NO ESP packet loss between R1 and the VPN_device. I also have NO packet loss when I switch over to udp/4500 (if the VPN_device is a cisco router). Anyone has issues with terminnating VPN through the CP NGx R61 with HFA_01 regarding ESP traffics? This issue can be easily produced because it happens to me on multiple set of firewalls during the testing phase. Thanks in advance --------------------------------- Got a little couch potato? Check out fun summer activities for kids. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
