Once the client connects to the gateway using the IP you have set in the VPN link selection it will then try to pull the policy from whatever IP you have defined under the general props for that gateway/policy server. Seen this fail when the internal IP of the gateway was not included in the encryption domain, routing for the OM pool was not correct or the client fails to get an OM IP. Are you able to get an OM IP? Can securemote connect and get to the internal IP? I am assuming this is a distributed install. If you define the gateway with it's external IP but can not push a policy to it sounds like a routing/rule issue preventing you from doing this. If you define the gateway with the external IP then do an fw unloadlocal can you push policy then? multiple times?
-GS ________________________________ From: Roger De Jonckheere <[email protected]> To: [email protected] Sent: Thu, October 29, 2009 5:09:50 AM Subject: [FW-1] AW: Seeking help on VPN desktop policy Hi Paul Have you turned on "Accept VPN-1 Power/UTM control connections" and then "Accept Remote Access control connections" in the Golbal Properties of you Management Server? Even when creating the necessary rules manually, I was experiencing problems with connectivity from the Secure Clients to the gateway. Hope this helps, Roger -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[email protected]] Im Auftrag von Chau, P (Paul) Gesendet: Donnerstag, 29. Oktober 2009 01:32 An: [email protected] Betreff: [FW-1] Seeking help on VPN desktop policy Hi, We have a problem here with desktop policy ( connection issue). Our gateway is on NGX R65 with interface bge0 (inside) and bge1 (outside). VPN logon works but desktop policy is not working and error popped up "SecureClient failed to communicate with Policy Server". I checked the connectivity of 18231. After logon the VPN client can connect to the address on bge1 but not the address on bge0. Internally I can connect to the port on the address of bge0 but not on that of bge1. We tried to change the properties IP address to that of bge1 but could not put policy to the gateway. Can anyone point out any possible solution? Regards, Paul ______________________________________________________________ This email, including any attachments, may be confidential or privileged, and is sent for the personal attention of the intended recipient. If you have received this email in error, please delete it immediately. The views expressed are not necessarily those of the Rabobank Group. The Group is not liable for the effects of any virus which may be contained in this email. If this email contains marketing material and you do not wish to receive such material by email in future, please reply to this email and place the words "Remove My Details - Electronic Messages" in the Subject Header. The Rabobank Group Australia: 1800 025 484 New Zealand: 0800 500 933 ______________________________________________________________ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
