No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The solution as FW VPN server version don’t support GRE+PPP dynamic detection lead to customer can’t connect normally.

Publication Date:  2012-11-02 Views:  50 Downloads:  0
Issue Description
We are in charge of a project about an overseas carrier, and use Eudemon8080 firewall to replace Checkpoint firewall on the live network. After a few days later, the customer complained that they can't normally connect the terminal user VPN service.
Network is as follows:
VPN user (trust zone) - - - - - - - E8080 - - - - - - - - VPN server (untrust zone)
Alarm Information
none
Handling Process
1, Check the Acl, copy the checkpoint Acl to e8080 Acl, find that the Acl is the same, do not find problem. We allow all the user connection for the outbound. Inbound direction do not configure acl, the return message automatically matching acgre session established before.
acl 3001(outbound)
rule 55 permit ip source 121.122.0.0 0.0.127.255
rule 60 permit ip source 121.123.0.0 0.0.127.255
2. We find the vpn user source address is:121.122.34.73,and check the session table
HRP_Mdis firewall session table source inside 121.122.34.73
  This operation will take a few minutes. Press 'Ctrl+C' to break ...
  pptp: vpn(in):-, vpn(out):-, 121.122.34.73:2888-->58.71.152.7:1723
  gre: vpn(in):-, vpn(out):-, 121.122.34.73:0-->58.71.152.7:53503
  icmp: vpn(in):-, vpn(out):-, 121.122.34.73:2048-->58.71.152.7:1

Then we find the gre server address is:58.71.152.7,and check the session table
HRP_Mdis firewall session table source inside 58.71.152.7
  This operation will take a few minutes. Press 'Ctrl+C' to break ...
  gre: vpn(in):-, vpn(out):-,121.122.34.73:44012<-- 58.71.152.7:0
Thus find when outbound and inbound GRE message the use the different ports, leading to return message can't match session table established by the out message and discarded.
3, We conclude that the user is using GRE + PPTP VPN service, which has the characteristic that come-and-go message port is not the same. And because the checkpoint FW support the GRE message dynamic detection before replace, so as to ensure the normal service.
So E8080 firewall can't support the GRE message dynamic detection, leading to the service interrupted.
So we add acl to allow the GRE message back in the opposite direction
acl 3002(inbound)
rule 5275 permit gre
After added the rule to the inbound, customer VPN service returned to normal.
Root Cause
Maybe firewall discarded VPN message, because the VPN service is normal before cut over.
At the same time, we knew that the user used GRE VPN, because we replaced checkpoint firewall, maybe GRE service processing mechanism is different.
Suggestions
When cut over the firewall, must pay attention to the processing mechanism to different message between the live network firewall and our firewall may be different. For example, checkpoint, cisco, etc can support a variety of protocol dynamic detection, and E8080 firewall only support the qq, RTSP, MSN, FTP dynamic monitoring.

END