It looks like a Cisco VPN client issue.... not handling NAT Transversal correctly). Change Cisco Client to use TCP connection instead of UDP...it may help
I am assuming that, the Cisco VPN client is in your Internal networks and try to connect to a Cisco VPN concentrator outside of your networks.....correct? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Lari Luoma Sent: Friday, February 08, 2008 1:02 PM To: [email protected] Subject: [FW-1] firewall dropping return packets Dear colleagues! I'm in the middle of quite a weird troubleshooting session and would really appreciate any help to get this resolved. We are running IPSO 4.1b033 and CP NGX R60 HFA04 in a VRRP cluster. The scenario is as follows: 1. User authenticates successfully through client-authentication. 2. User opens a VPN-connection (Cisco VPN client) to the internal network. When looking connections from the SmartView Tracker everything seems to be green (accepted), but the connections are not working. Here comes the weird thing... The firewall is dropping return packets as they were new connections. The user information has also disappeared from the dropped return packets as if the whole session has been terminated somehow. All the traffic is supposed to be hidden behind the firewall's external ip (192.100.x.x). What an earth is going on here... Let me confuse you a little bit more by saying that the connections work sometimes (very slowly indeed), but for the most of the time they don't. Here's some tracking info... Number: 6089199 Date: 7Feb2008 Time: 11:41:35 Product: VPN-1 Pro/Express Interface: eth-s1p3c1 Origin: fw1 (192.168.77.116) Type: Log Action: Accept Protocol: udp Service: UDP_4500 (4500) Source: 10.183.146.25 Destination: 15.195.xx.xx Rule: 36 NAT rule number: 27 NAT additional rule number: 0 Source Port: UDP_4500 (4500) User: [I removed the user name] XlateSrc: fw1_cluster(192.100.xx.xx) XlateSPort: 50357 Information: rule_uid: {572D8CDE-627C-4D64-A495-7E0470E4AC49} service_id: UDP_4500 normalized_rule_num: 36-es-rules Number: 6097242 Date: 7Feb2008 Time: 11:41:57 Product: VPN-1 Pro/Express Interface: eth-s2p1c0 Origin: fw1 (192.168.xx.xx) Type: Log Action: Drop Protocol: udp Service: 49534 Source: 15.195.xx.xx Destination: fw1_cluster (192.100.xx.xx) Rule: 178 Source Port: UDP_4500 (4500) Information: rule_uid: {D67DCC20-6EA8-4EAB-BC8B-1E20C0E38DFF} normalized_rule_num: 178-es-rules Here is fw-monitor output about the traffic Feb 8 08:29:02 fw1 [LOG_CRIT] kernel: FW-1: monitor filter loaded monitor: monitoring (control-C to stop) eth-s1p3c1:i[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 UDP: 500 -> 500 eth-s1p3c1:I[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 UDP: 500 -> 500 eth-s2p1c0:o[340]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=340 id=32320 UDP: 500 -> 500 eth-s2p1c0:O[340]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=340 id=32320 UDP: 11759 -> 500 eth-s2p1c0:i[176]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=176 id=26684 UDP: 500 -> 11759 eth-s2p1c0:I[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 UDP: 500 -> 500 eth-s1p3c1:o[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 UDP: 500 -> 500 eth-s1p3c1:O[176]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=176 id=26684 UDP: 500 -> 500 eth-s1p3c1:i[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0 UDP: 4500 -> 4500 eth-s1p3c1:I[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0 UDP: 4500 -> 4500 eth-s2p1c0:o[3620]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0 UDP: 4500 -> 4500 eth-s2p1c0:O[3620]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=1500 id=32322 off=0 UDP: 11764 -> 4500 eth-s2p1c0:i[3628]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=1500 id=27473 off=0 UDP: 4500 -> 11764 eth-s2p1c0:I[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0 UDP: 4500 -> 4500 eth-s1p3c1:o[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0 UDP: 4500 -> 4500 eth-s1p3c1:O[3628]: 15.195.xx.xx -> 10.183.146.26 (UDP) len=1500 id=27473 off=0 UDP: 4500 -> 4500 eth-s1p3c1:i[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 UDP: 4500 -> 4500 eth-s1p3c1:I[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 UDP: 4500 -> 4500 eth-s2p1c0:o[432]: 10.183.146.26 -> 15.195.xx.xx (UDP) len=432 id=35018 UDP: 4500 -> 4500 eth-s2p1c0:O[432]: 192.100.xx.xx -> 15.195.xx.xx (UDP) len=432 id=35018 UDP: 12340 -> 4500 eth-s2p1c0:i[128]: 15.195.xx.xx -> 192.100.xx.xx (UDP) len=128 id=566 UDP: 4500 -> 11764 ^C monitor: caught sig 2 monitor: unloading Your help is appreciated, thanks a lot in advance! -lari- Lari Luoma Senior Network Security Specialist Mainframe Consulting Oy [EMAIL PROTECTED] +358-45-6576820 www.mainframe.fi Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
