No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The solution as FW VPN server version don’t support GRE+PPP dynamic detection lead to customer can’t connect normally.

Publication Date:  2012-11-02 Views:  135 Downloads:  0

Issue Description

We are in charge of a project about an overseas carrier, and use Eudemon8080 firewall to replace Checkpoint firewall on the live network. After a few days later, the customer complained that they can't normally connect the terminal user VPN service.
Network is as follows:
VPN user (trust zone) - - - - - - - E8080 - - - - - - - - VPN server (untrust zone)

Alarm Information


Handling Process

1, Check the Acl, copy the checkpoint Acl to e8080 Acl, find that the Acl is the same, do not find problem. We allow all the user connection for the outbound. Inbound direction do not configure acl, the return message automatically matching acgre session established before.
acl 3001(outbound)
rule 55 permit ip source
rule 60 permit ip source
2. We find the vpn user source address is:,and check the session table
HRP_Mdis firewall session table source inside
  This operation will take a few minutes. Press 'Ctrl+C' to break ...
  pptp: vpn(in):-, vpn(out):-,>
  gre: vpn(in):-, vpn(out):-,>
  icmp: vpn(in):-, vpn(out):-,>

Then we find the gre server address is:,and check the session table
HRP_Mdis firewall session table source inside
  This operation will take a few minutes. Press 'Ctrl+C' to break ...
  gre: vpn(in):-, vpn(out):-,<--
Thus find when outbound and inbound GRE message the use the different ports, leading to return message can't match session table established by the out message and discarded.
3, We conclude that the user is using GRE + PPTP VPN service, which has the characteristic that come-and-go message port is not the same. And because the checkpoint FW support the GRE message dynamic detection before replace, so as to ensure the normal service.
So E8080 firewall can't support the GRE message dynamic detection, leading to the service interrupted.
So we add acl to allow the GRE message back in the opposite direction
acl 3002(inbound)
rule 5275 permit gre
After added the rule to the inbound, customer VPN service returned to normal.

Root Cause

Maybe firewall discarded VPN message, because the VPN service is normal before cut over.
At the same time, we knew that the user used GRE VPN, because we replaced checkpoint firewall, maybe GRE service processing mechanism is different.


When cut over the firewall, must pay attention to the processing mechanism to different message between the live network firewall and our firewall may be different. For example, checkpoint, cisco, etc can support a variety of protocol dynamic detection, and E8080 firewall only support the qq, RTSP, MSN, FTP dynamic monitoring.