Cluster upgrade and SecureClient

Hi,

 

Yesterday we upgraded our Clustered Nokia VRRP pair of IP
530s from IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and NGX
R60 HFA02. 

 

Today I can no longer connect to the remote access vpn using
SecureClient. When I try to create a site I get Error:
Communication with site x.x.x.x failed. Looking in SmartView
Tracker I can see an Accepted entry from my IP for FW1_topo
(264) but nothing more.

 

Another user can connect to the vpn with his existing
SecureClient policy but gets an error during the connection
'unable to communicate with policy server on cluster01'.

 

We upgraded all of the central licenses that were attached
to the gateways to NGX and re-attached them. A policy server
license is attached to one of the gateways and the cluster
object properties show that the SecureClient Policy Server
option is selected.

 

SmartView Tracker is showing that users are still able to
connect to the vpn and is logging decrypted traffic against
usernames.

 

Does anyone have any ideas?

 

Thanks

 
______________________________________________

Nick Whitworth - Systems Specialist

t +44 (0) 1483 816712 | m +44 (0) 07786 553477  | f +44 (0)
1483 816545
a Detica | Surrey Research Park | Guildford | GU2 7YP | UK
______________________________________________
www.detica.com
 



This message should be regarded as confidential. If you have
received this email in error please notify the sender and
destroy it immediately.
Statements of intent shall only become binding when
confirmed in hard copy by an authorised signatory.  The
contents of this email may relate to dealings with other
companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey,
GU2 7YP, England.



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

Idea: SC licenses should be installed on the
Smartcenter side since NGX.

Good luck

--- Nick Whitworth <Nick.whitworthDETICA.COM> a
écrit :

> Hi,
> 
>  
> 
> Yesterday we upgraded our Clustered Nokia VRRP pair
> of IP 530s from IPSO 3.7.1 and NG R54 to IPSO 4.0
> build 30 and NGX R60 HFA02. 
> 
>  
> 
> Today I can no longer connect to the remote access
> vpn using SecureClient. When I try to create a site
> I get Error: Communication with site x.x.x.x failed.
> Looking in SmartView Tracker I can see an Accepted
> entry from my IP for FW1_topo (264) but nothing
> more.
> 
>  
> 
> Another user can connect to the vpn with his
> existing SecureClient policy but gets an error
> during the connection 'unable to communicate with
> policy server on cluster01'.
> 
>  
> 
> We upgraded all of the central licenses that were
> attached to the gateways to NGX and re-attached
> them. A policy server license is attached to one of
> the gateways and the cluster object properties show
> that the SecureClient Policy Server option is
> selected.
> 
>  
> 
> SmartView Tracker is showing that users are still
> able to connect to the vpn and is logging decrypted
> traffic against usernames.
> 
>  
> 
> Does anyone have any ideas?
> 
>  
> 
> Thanks
> 
>  
> ______________________________________________
> 
> Nick Whitworth - Systems Specialist
> 
> t +44 (0) 1483 816712 | m +44 (0) 07786 553477  | f
> +44 (0) 1483 816545
> a Detica | Surrey Research Park | Guildford | GU2
> 7YP | UK
> ______________________________________________
> www.detica.com
>  
> 
> 
> 
> This message should be regarded as confidential. If
> you have received this email in error please notify
> the sender and destroy it immediately.
> Statements of intent shall only become binding when
> confirmed in hard copy by an authorised signatory. 
> The contents of this email may relate to dealings
> with other companies within the Detica Group plc
> group of companies.
> 
> Detica Limited is registered in England under No:
> 1337451.
> 
> Registered offices: Surrey Research Park, Guildford,
> Surrey, GU2 7YP, England.
> 
> 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
> 



	

	
		
____________________________________________________________
_______________ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes
vos questions ! 
Profitez des connaissances, des opinions et des expériences
des internautes sur Yahoo! Questions/Réponses 
http://fr.answers.yahoo.c
om

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

> Hi,
>
>
>
> Yesterday we upgraded our Clustered Nokia VRRP pair of
IP 530s from IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and
NGX R60 HFA02.
>
>
>
> Today I can no longer connect to the remote access vpn
using SecureClient. When I try to create a site I get Error:
Communication with site x.x.x.x failed. Looking in SmartView
Tracker I can see an Accepted entry from my IP for FW1_topo
(264) but nothing more.
>
>
>
> Another user can connect to the vpn with his existing
SecureClient policy but gets an error during the connection
'unable to communicate with policy server on cluster01'.
>
>
>
> We upgraded all of the central licenses that were
attached to the gateways to NGX and re-attached them. A
policy server license is attached to one of the gateways and
the cluster object properties show that the SecureClient
Policy Server option is selected.
>
>
>
> SmartView Tracker is showing that users are still able
to connect to the vpn and is logging decrypted traffic
against usernames.
>
>
>
> Does anyone have any ideas?
>
>
>

 - We had a similar issue when upgrading to NGX R61 from
R60,
the solution was to allow both Firewall's IP's as allowed
agenhosts(s)
on our RSA  server which we use for secureclient
authentication.

Apparently there was a behavior change, in the sense that
from
that release the cluster did not use the cluster IP address
when
accessing the RSA server, but now the individual IP's of the
cluster members
were used.

Aaaa...H, guess we ow the world the reason why we get paid
each month 

M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

> Hi,
>
>
>
> Yesterday we upgraded our Clustered Nokia VRRP pair of
IP 530s from IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and
NGX R60 HFA02.
>
>
>
> Today I can no longer connect to the remote access vpn
using SecureClient. When I try to create a site I get Error:
Communication with site x.x.x.x failed. Looking in SmartView
Tracker I can see an Accepted entry from my IP for FW1_topo
(264) but nothing more.
>
>
>
> Another user can connect to the vpn with his existing
SecureClient policy but gets an error during the connection
'unable to communicate with policy server on cluster01'.
>
>
>
> We upgraded all of the central licenses that were
attached to the gateways to NGX and re-attached them. A
policy server license is attached to one of the gateways and
the cluster object properties show that the SecureClient
Policy Server option is selected.
>
>
>
> SmartView Tracker is showing that users are still able
to connect to the vpn and is logging decrypted traffic
against usernames.
>
>
>
> Does anyone have any ideas?
>
>
>

 - We had a similar issue when upgrading to NGX R61 from
R60,
the solution was to allow both Firewall's IP's as allowed
agenhosts(s)
on our RSA  server which we use for secureclient
authentication.

Apparently there was a behavior change, in the sense that
from
that release the cluster did not use the cluster IP address
when
accessing the RSA server, but now the individual IP's of the
cluster members
were used.

Aaaa...H, guess we ow the world the reason why we get paid
each month 

M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================