I've encountered this strange (very strange) problem while trying to configure a securemote connection with my firewall. The network is structured as follow: | Internet | | --------- Public DMZ | | ------| FW A | | | --------- | | Intra DMZ | ---------- --------- | WWW | | | Private DMZ | Server |----| FW B |------ | | | | ---------- --------- | | Internal | Network FW A = Sun Sparcstation 10, Fw-1 Single Gateway 25 Users no VPN FW B = Sun Ultra 5, Fw-1 Single Gateway Unl. VPN+Strong Both Firewalls are 4.0 with SP5. FW A does not operate any Traslation (both Public DMZ and Intra DMZ have valid IP addresses) and is configured to let Securemote Traffic reach FWB (FW1, ISAKMP, IPSEC ecc.) I'm managing it remotely (I'm directly connected to Internet with a valid IP address) through the same workstation on wich I've installed Securemote (3Des version 4005). On FW B there is a rule that allow Securemote connection reach the WWW Server for a specific group of user. Now I can describe what the problem is. When I try to connect to the WWW Server from my client (while monitoring the firewall with Log Viewer from the same machine) I receive the popup window that ask me to insert my username and password, after doing so I receive the following message: > No answer received from a firewall at site xxx.xxx.xxx.xxx (external address of FW B). > Check if you are using the correct username and password and try to reconnect. Shortly after this message all the windows of firewall management opened on FW B (log viewer and policy editer) are closed (server disconnected) while FW A start to drop a lot of packet as follow Time Int Act Serv. Source Destin Proto S_Port ---------------------------------------------------------------- 14:18:25 hme0 drop RDP FW_B_Ext Mng_Clt 94 RDP 14:18:39 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:18:40 le0 drop 23556 Addr_A IP_Natted tcp http 14:19:13 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:19:45 le0 drop 23556 Addr_A IP_Natted tcp http 14:20:29 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:20:49 le0 drop 23556 Addr_A IP_Natted tcp http 14:21:50 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:21:53 le0 drop 23556 Addr_A IP_Natted tcp http 14:22:19 hme0 drop 1062 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:22:20 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:22:53 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:22:57 le0 drop 23556 Addr_A IP_Natted tcp http 14:23:58 hme0 drop 1062 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:23:59 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:24:01 le0 drop 23556 Addr_A IP_Natted tcp http 14:25:04 le0 drop 23556 Addr_A IP_Natted tcp http 14:26:03 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt 14:26:13 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt Where Addr_A is a web server that is currently being visited by my internal user (externally natted by IP_Natted address). At the same time the internal Firewall (FW B) recorded this log: Time Int Act Serv Source Dest Proto Rule User ---------------------------------------------------------------- 14:18:25 daemon authcrypt / Mng_Clt / / 0 username Info. ------ reason Client Encryption: Authenticated by FireWall-1 Password scheme: FWZ methods: Encapsulation, DES,DES,MD5 I found that I cannot reconnect to the internal firewall for at least 30-45 minutes (it is considerable unreachable), during this interval my external firewall continue to drop a lot of incoming packets as above (they seems to be answer to varius internal request like HTTP or SMTP but with a completely wrong destination port, i.e.: always the same port for a particular destination). Can anyone help me to understand why this firewall is acting so strange ? n.b.: I've also tested the securemote connection without opening the log viewer or any other Fw-1 management program and the result is the same as above. -- Riccardo Fontana Intesis SECURITY LAB Phone: +39-2-671563.1 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: rfontanaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:13 PDT