Question about Cyberguard SG300 (00852503000366) Firewall

3 Answers

Cyberguard sg300 drops tunnel out wont restart

Cyberguard sg300 drops tunnel out and requires a power cycle to reconnect. (It stops at negotiating stage 1 after dropout)
Settings are aggressive mode, preshared secret, dead peer detection, but no compression.
Initiate stage 1,2 rekeying also set.
Firmware levels are all the same, v3.1.5u4

Posted by on

  • rod8272 Oct 04, 2009

    Thanks for the reply, here are the complete details of the tunnel settings.
    local interface - default gateway interface and tunnel enabled.
    keying - aggressive mode
    local address - dns hostname address
    remote address - dns hostname address
    initiate tunnel negotiation - yes
    endpoint is specified
    dead peer detect - yes
    delay and timeouts are defaults
    initiate rekeying - yes
    tunnel name, dns hostname and endpoint are set
    phase 1 settings are default, except for secret which is set
    phase 2 settings are default except for the IP addresses

    This link is one of 4 I have running from my Cyberguard and is how I support my brothers network. I think the cause of the dropouts is bad wiring in his house which will be recified, but the problem has appeared sometimes on the other links.

    The issue is not so much that it drops out, but that it will not restart.

    When I down the link from negotiating stage 1 state the log says (hornsby is the link)
    Pluto[182]: "hornsby": deleting connection
    Pluto[182]: "hornsby" #6863: deleting state (STATE_AGGR_I1)

    When I enable the link again (stop msg seems odd to me here)

    ipsecctl[1286]: Failed to stop ipsec tunnel hornsby: 21
    flatfsd: Wrote 6582 bytes to flash in 2 seconds
    Pluto[182]: | from whack: got --esp=3DES-SHA1;MODP1024
    Pluto[182]: | from whack: got --ike=3DES-SHA-MODP1024
    Pluto[182]: added connection description "hornsby"
    Pluto[182]: forgetting secrets
    Pluto[182]: loading secrets from "/etc/config/ipsec.secrets"
    Pluto[182]: Changing to directory '/etc/config'
    Pluto[182]: error in X.509 certificate: ssl_key.pem
    Pluto[182]: X.509 loaded: ssl_cert.pem
    Pluto[182]: error in X.509 certificate: ssh_host_rsa_key
    Pluto[182]: error in X.509 CRL: ssl_key.pem
    Pluto[182]: error in X.509 CRL: ssl_cert.pem
    Pluto[182]: error in X.509 CRL: ssh_host_rsa_key
    Pluto[182]: "hornsby" #6874: initiating Aggressive Mode
    ipsecctl[1286]: Failed to start ipsec tunnel hornsby: 112

    Regards Rod

  • rod8272 Oct 06, 2009

    Hi, you have described the problem well.. I am running 3.1.5u4 already so the issue is different. My setup is exactly the same as the example in the manual. I have noticed that if the line is good it works very well, its just that this link has some poor wiring (which will be fixed shortly) which makes the problem worse.
    There must be a combination of settings that are the optimum, I am hoping someone has been here before me and has the answer.

    Regards Rod

×

Ad

3 Answers

  • Level 3:

    An expert who has achieved level 3 by getting 1000 points
    Superstar:

    An expert that got 20 achievements.
    All-Star:

    An expert that got 10 achievements.
    MVP:

    An expert that got 5 achievements.

  • Master
  • 3,741 Answers

If you've got locked out of your CyberGuard / SnapGear firewall, as long as you still have SSH access you can regain access without doing a factory reset.

From the command prompt type "enableweb"

/> enableweb
The web interface has been enabled on ALL interfaces, for HTTP and HTTPS.
Please ensure you review the administration access control options.

As it says, this will re-enable access on ALL interfaces, including Internet, so you need to review the choices, FAST! --------- keep updated.thanks.

Posted on Oct 06, 2009

Ad
Sudeep Chatterjee
  • Level 3:

    An expert who has achieved level 3 by getting 1000 points
    Superstar:

    An expert that got 20 achievements.
    All-Star:

    An expert that got 10 achievements.
    MVP:

    An expert that got 5 achievements.

  • Master
  • 3,267 Answers

This seems like a a common problem for many who are using an SG300 (though I believe that other SG series are affected) for a few months on TPG ADSL2+.and ADSL+2 modems. It took too long to connect to the DSLAM, sometimes several hours. I tried different modems in front of this router etc but all to no avail. Different configs etc, but nothing worked. I'd simply have to leave the router to connect of it's own accord. It'd continually try and fail over and over until it connected. Once connected though it was always stable.
I thought that I had the latest firmware as I only updated it about two months ago. Anyway the latest firmware from Cyberguard/Snapgear rectifies this problem in particular. It seems to be isolated only to TPG ADSL2+ in combination with the SG series firewalls. Get firmware version 3.1.4u2 if you're having issues with SG series firewalls connecting to TPG ADSL2+.......This might solve this problem....sodeep

Posted on Oct 04, 2009

Ad
Rylee Smith
  • Level 3:

    An expert who has achieved level 3 by getting 1000 points
    All-Star:

    An expert that got 10 achievements.
    MVP:

    An expert that got 5 achievements.
    Brigadier General:

    An expert that has over 10,000 points.

  • Master
  • 8,619 Answers

Hi

Thanks for using FixYa. These are the main causes due towhich drops tunnel out and need a power cycle to reconnect. Please make sure thatthe Cyber Guard SG appliance has a default gateway by configuring the Internetconnection on the Connect to Internet page or assigning a default gateway onthe IP Configuration page. Ensure that the tunnel settings for the Cyber GuardSG appliance and the remote party are configured correctly. Also ensure thatboth have IP Sec enabled and have Internet IP addresses. Check that the CA hassigned the certificates. The remote party has gone down. The remote party hasdisabled IP Sec. The remote party has disabled the tunnel. The tunnel on theCyber Guard SG appliance has been configured not to re key the tunnel. Theremote party is not re keying correctly with the Cyber Guard SG appliance. Forfurther reference see the link---


CyberGuard SG 300 User Manual


Please do accept the solution if the issue is resolved orelse revert for further assistance.


Thanks

Rylee

Posted on Oct 03, 2009

1 Suggested Answer

6ya6ya
  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

Hi,
A 6ya expert can help you resolve that issue over the phone in a minute or two.
Best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
The service is completely free and covers almost anything you can think of (from cars to computers, handyman, and even drones).
click here to download the app (for users in the US for now) and get all the help you need.
Good luck!

6ya.com

6ya - Get Instant Help

6ya.com

Need repair answers fast Use 6ya to...

Posted on Jan 02, 2017

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

How Do I Restore the Default VLAN Configuration of an Interface?
We can take S5700-28P-PWR-LI-AC as example.

The default VLAN configuration of an interface involves the default VLAN of the interface and the VLAN that the interface joins. By default, the default VLAN configuration of an interface is as follows:
Access: The default VLAN is VLAN 1, and an access interface joins VLAN 1 in untagged mode.
Trunk: The default VLAN is VLAN 1, and a trunk interface joins VLAN 1 to VLAN 4094 in tagged mode. That is, a trunk interface allows all VLANs.
Hybrid: The default VLAN is VLAN 1, and a hybrid interface joins VLAN 1 in untagged mode.
Dot1q-tunnel: The default VLAN is VLAN 1, and an dot1q-tunnel interface joins VLAN .1
Negotiation-auto or Negotiation-desirable: If the interface is negotiated as an access interface, the default VLAN configuration of the interface is the same as that of the access interface. If the interface is negotiated as a trunk interface, the default VLAN is VLAN 1 and the interface joins VLANs 1 to 4094 in tagged mode. That is, the interface allows all VLANs.
Run the display this include-default ' include link-type command in the interface view to check the link type of the interface, and then perform one of the following configurations to restore the default configuration of the interface.
Restore the default VLAN configuration of an access or dot1q-tunnel interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan

Restore the default VLAN configuration of a trunk interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1

Restore the default VLAN configuration of a hybrid interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1

Restore the default VLAN configuration of the Negotiation-auto or Negotiation-desirable interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan all

Jun 28, 2016 | Compex PS2216 16Port 10100Mbps Smart...

2 Answers

How to connect my MSSQL server through VPN by using PPTP
192.168.1.X is a local ip address ,, i trust that thhe vpn is in seperate places and is done with the wan ip over an internet connection?????

OK maybe the problem isnt on your side but the main office building,, when connecting , have someone looked for repeated attemps to connect by observing the fire wall,, if it appears to be blocked byu the firewall simply diasable any and try it out.. If it works then all you need to do is set the firewall correctly..

I was reading the ip address in your original post and those are local address,s are you certin the VPN is correct ???? did you use the correct STATIC IP ADDRESS ASSIGNED BY YOUR ISP??

Jan 20, 2008 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

While trying to update the unit configuration, all configuration space has been exhausted. This is a fatal error.
Hej kan ikke huske brugernavn og pasvord

Jun 21, 2011 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

We have full internet access but we are unable to connect to our email server why?
I NEED TO GET ON RUNESCAPE

Jan 03, 2010 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

Cable modem connection keeps repeating checking and then down over and over, tried a different router works fine, tried a different modem same issue
I had a similar problem a while back when I bought a new cable modem. I didn't realise that my cable provider needed to have the serial number of my cable modem configured on their system.

I ended up calling them to ask them about the problem.

There is no way I could have solved it without calling them.

I think it is to do with stopping unauthorised users from connecting to the cable.

I remember they wanted my name, age and grandma's inside leg measurement before they would help me.

So if you have nothing to hide just give them a ring and make them help you. This is what you pay them for after all.

:)

Jul 06, 2009 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

Need to network SG300 Firewall and Qwest (Motorola) 3347-02 Modem
The modem needed to be set to a 192.168.x.x network, and the SG300 Firewall WAN port needed to be set to a dummy IP on the same network for it's IP, and the specific 192.168.x.x address for the gateway and DNS.

Nov 05, 2008 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

Blocking email
The ISP provider changed our IP address when we reset the modem.(even though they swear it was a fixed IP) The mailguard delivery address is fixed so the redirected mail from mailgaurd no longer had a valid address for delivery.
You can fix this by correcting the mailguard delivery IP address (phone them in business hours) or by providing Mailguard with a name address instead of an IP address .

Simple but frustrating until you think of checking to see if the IP addresses of your server and mailguard match

Jun 15, 2008 | Cyberguard SG300 (00852503000366) Firewall

2 Answers

Help with a unblock code
ok, on the internet window, click on tools, then internet options, then go to the ADVANCED tab, and click on the reset buttons and hopefully this fixes ur issue and if it does dont forget to rate me as FIX YA

Feb 12, 2008 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

Cyberguard SG300
From the main configuration screen select Network Setup, and then click on the Connections Tab. In the tabline below that click on Aliases.

At this point you input the Alias IP address and the netmask and add it, selecting port 25. The firewall now knows that it is to forward all traffic on port 25 to the computer that has the IP address you put in.

You should be aware that doing the above opens a direct access point into your network! Port 25 is the port used for SMTP (Sendmail) and it is the most vulnerable and most hacked service on the Internet! You should seriously consider not doing this.

A better option would be to goto the DMZ tab and configure a DMZ net on your firewall - you will need to obtain a second routable IP address from your ISP to do this though. By creating the DMZ and then routing port 25 to a machine inside the DMZ you isolate the machine running SMTP from all of the other machines inside your protected network and so make a compromise much less likely.

All of the systems inside your protected network will still have demand access to the machine in our DMZ, but the machine in your DMZ would be unable to initialize access to the protected network, which is a much safer setup.

Oct 19, 2007 | Cyberguard SG300 (00852503000366) Firewall

1 Answer

Port 25
Which Firewall?

Model and make please

Oct 19, 2007 | Cyberguard SG300 (00852503000366) Firewall

Not finding what you are looking for?

View Most Popular

SG300 (00852503000366) Firewall

  • Computers & Internet

Related Question

How Do I Restore the Default VLAN Configuration of an Interface?

  • Compex PS2216 16Port 10100Mbps Smart Desktop Switch wPort VLAN and Trunking

Open Questions:

0 Answers

what causes /var: file system full. a cold reboot resolved the issue. but there was no indication regarding the cause.

Mar 05, 2010 | Cyberguard SG300 (00852503000366) Firewall

0 Answers

VPN to Charter cable modem I want to connect a SG300 VPN to my Charter Cable Modem, what is the flow chart to doing this, do I connect the VPN to the computer and the modem to the VPN or VPN to modem then modem to computer. Thanks

Sep 25, 2008 | Cyberguard SG300 (00852503000366) Firewall

0 Answers

sg300 TST light blinking non stop I reset the SG300 and still unable to get traffic through the unit and the TST light blinks nonstop. Did a reset from within the config table, no luck there either

Jul 29, 2008 | Cyberguard SG300 (00852503000366) Firewall

Cyberguard SG300 (00852503000366) Firewall Logo

Related Topics:

412 people viewed this question

Ask a Question

Usually answered in minutes!

Popular Questions

Cyberguard SG300...

Cyberguard SG300...

Cyberguard SG300...

Cyberguard SG300...

Cyberguard SG570 - Security...

Check Out the Mobile Browsers Report
Check Out the Mobile Browsers Report

View all Fixya Reports

Top Cyberguard Computers & Internet Experts

Les Dickinson
Les Dickinson

Level 3 Expert

18424 Answers

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

David Payne
David Payne

Level 3 Expert

14162 Answers

Are you a Cyberguard Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...