SecurityFocus

FW: Stale IKE SA on FW-1 Aug 24 2006 05:51PM
Meidinger Chris (chris meidinger badenIT de) (1 replies)

RE: Stale IKE SA on FW-1 Aug 24 2006 08:24PM
??????? ?? ??? (erezsht netvision net il)

Dear Chris,

Please Try this:

1. Remove the: "Keep Ike SA's" smartDashBoard--> Policy --> Global
Properties --> SmartDashboard Customization --> Configure --> VPN / IKE
Properties --> uncheck "Keep Ike SA's" (make sure that the externally
managed GW guy's do that too)
2. In the cluster object itself: --> advanced --> connection persistency
--> select: rematch all connections.
3. In the cluster object itself: --> VPN --> advanced --> check: perform
organized shutdown (make sure that the externally managed GW guy's do that
too)
4. Install the policy to the cluster.

5. Optionally: [Install R61 Latest HFA (if available) to management
server and cluster.]

If the externally managed gw support's the "send initial contact" then
Under: smart Dashboard--> Policy --> Global Properties --> Smart
Dashboard Customization --> Configure --> VPN / IKE Properties -->
Make sure that the settings in the cluster and the settings in the
remote GW are identical (both should send each other)

This should bring order to chaos in the SA's

Erez Shtang - [ Information Security Consultant ]

_____

From: Meidinger Chris [mailto:chris.meidinger (at) badenIT (dot) de [email concealed]]
Sent: Thursday, August 24, 2006 8:52 PM
To: firewalls (at) securityfocus (dot) com [email concealed]
Subject: FW: Stale IKE SA on FW-1

Hi List,

has anyone ever had an IKE SA that just wouldn't die on a Checkpoint?

The Firewall in question is a (fairly new) R61 clustered on Nokia hardware.

Normally the #vpn tu command should allow SA's to be deleted either singly
or collectively.

I have a stale IKE SA between this gateway and another (externally managed)
gateway that refuses to die. The SA is more than twice as old as the reneg
time, and is just sitting there blocking negotiation of a new one. If I
delete it with #vpn tu absolutely nothing changes and the SA is still
showing in the list.

Have any of you ever seen this before? Does anyone have an idea what I can
do?

I have already tried:

- making changes in encryption in the community settings and publishing the
policy
- deleting the object for the remote gateway and the related rules,
publishing and then recreating them
- every possible #vpn tu command, including deleting ALL IKE+IPSec SA's
- banging my head on the wall

I was even considering booting the firewall, but the SA should be synched on
both so I assume that will be pretty useless as the other node will have the
SA as well.

Thanks in advance for any suggestions, I wasn't able to find *anything* on
google about this type of problem.

Chris Meidinger

HYPERLINK
"http://545293.sigclick.mailinfo.com/sigclick/04070703/080B4E00/030A4E03
/213
21182.jpg"

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 23/08/2006

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 23/08/2006

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1250">

<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="EXPIRESABSOLUTE" CONTENT="Tue, 01 Jun 1999 12:00:00 GMT">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="PRIVATE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 11">
<meta name=Originator content="Microsoft Word 11">
<link rel=File-List href="cid:filelist.xml (at) 01C6C7D4 (dot) 7663 [email concealed]2100">
<link rel=Edit-Time-Data href="cid:editdata.mso">

<title>FW: Stale IKE SA on FW-1</title>

<style>

</style>

</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>

<div class=Section1 dir=RTL>

Dear Chris,<o:p></o:p>

<o:p> </o:p>

Please Try this:<o:p></o:p>

<o:p> </o:p>

1. Remove the: "Keep Ike SA's" smartDashBoard
à Policy à Global Properties à<f
ont
size=2 color=navy face=Arial> SmartDashboard Customization 
à Configure à VPN / IKE Properties à<f
ont
size=2 color=navy face=Arial> uncheck "Keep Ike
SA's"
 (make sure that the
externally managed GW guy's do that too)<o:p></o:p>

2. In the cluster
object itself: à advanced à connection persistency à<f
ont
size=2 color=navy face=Arial> select: rematch all connections.<o:p></o:p>

3. In the cluster object itself: 
à VPN à advanced à check: perform organized shutdown (make sure that the externally
managed GW guy's do that too)<o:p></o:p>

4. Install the policy to the cluster.<o:p></o:p>

<o:p> </o:p>

5. Optionally: [Install R61 Latest HFA (if available) to management server and cluster.]<o:p></o:p>

<o:p> </o:p>

If the externally
managed gw support's the "send initial contact" then <o:p></o:p>

 
Under: smart Dashboard
à Policy à Global Properties à<f
ont
size=2 color=navy face=Arial> Smart Dashboard Customization 
à Configure à VPN / IKE Properties à<f
ont
size=2 color=navy face=Arial> <o:p></o:p>

 Make sure that the settings in the
cluster and the settings in the remote GW are identical (both should send each
other)<o:p></o:p>

<o:p> </o:p>

This should bring order
to chaos in the SA's<o:p></o:p>

<div>

<o:p> </o:p>

Erez Shtang - [ Information
Security Consultant ]<o:p></o:p>

<o:p> </o:p>

<div class=MsoNormal align=center dir=LTR style='text-align:center'>

<hr size=2 width="100%" align=center tabindex=-1>

</div>

From: Meidinger
Chris [mailto:chris.meidinger (at) badenIT (dot) de [email concealed]] 
Sent: Thursday, August 24, 2006
8:52 PM 
To: firewalls (at) securityfocus (dot) com [email concealed] 
Subject: FW: Stale IKE SA on FW-1<o:p></o:p>

</div>

<o:p> </o:p>

Hi
List, 
 
has anyone ever had an IKE SA that just wouldn't die on a Checkpoint? 
 
The Firewall in question is a (fairly new) R61 clustered on Nokia hardware. 
 
Normally the #vpn tu command should allow SA's to be deleted either singly or
collectively. 
 
I have a stale IKE SA between this gateway and another (externally managed)
gateway that refuses to die. The SA is more than twice as old as the reneg
time, and is just sitting there blocking negotiation of a new one. If I delete
it with #vpn tu absolutely nothing changes and the SA is still showing in the
list. 
 
Have any of you ever seen this before? Does anyone have an idea what I can do? 
 
I have already tried: 
 
- making changes in encryption in the community settings and publishing the
policy 
- deleting the object for the remote gateway and the related rules, publishing
and then recreating them 
- every possible #vpn tu command, including deleting ALL IKE+IPSec SA's 
- banging my head on the wall 
 
I was even considering booting the firewall, but the SA should be synched on
both so I assume that will be pretty useless as the other node will have the SA
as well. 
 
Thanks in advance for any suggestions, I wasn't able to find *anything* on
google about this type of problem. 
 
Chris Meidinger<o:p></o:p>

</div>


 <a href="http://545293.sigclick.mailinfo.com/sigclick/04070703/080B4E00/030
A4E03/21321182.jpg"><img src="http://545293.signature1.mailinfo.com/confirm2.6/04070703/080B4E00/
030A4E03/21321182.jpg" border="0" nosend="1"></a>
</body>

</html>
 

-- 
No virus found in this incoming message. 
Checked by AVG Free Edition. 
Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 23/08/2006 
 

-- 
No virus found in this outgoing message. 
Checked by AVG Free Edition. 
Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 23/08/2006 
 

[ reply ]