(SKIP) Construction of SA failed for peer xx.xx.xx.xx

I am trying to setup a new SITE to SITE VPN connection.

Yesterday, SBC installed SBC Yahoo DSL.  I told the installer that I
did 
not want DHCP, filters, or NAT, so he suggested I used a bridge and
not a 
router for the service.  He installed an Efficient Networks
SpeedStream 
5360.

Internet service is working and the BM 3.7 proxy server is working for

HTTP.

My problem:

When trying to establish a connection for the Site to Site, the Slave 

server reports:

Audit Log:

(SKIP) Construction of SA failed for peer 68.xx.xx.xx

Info:

IP Security Error 284

IPSEC failed to set up a Security Association with the indicated 
connection causing packets to be dropped.

Check for possible our of memory conditions.


Here's what I tried so far:

1.  Reviewed Master server's Audit log.  No indication of making a 
connection to Slave server.

2.  Reviewed Slave server's Audit log.  VPSLAVE was started.  License
was 
obtained.  Then the SA errors keep occuring over and over.

3.  Verified both servers were running the same version of TCPIP.NLM. 

Both are 6.15.16 128bit.

4.  Verified that the actual server time (Master and Slave) are within
one 
minute (just a few seconds).

5.  I called SBC DSL support.  They had no clue what I was talking
about 
when I stated that I needed to verify that SKIP (protocol 57) and
UDP/TCP 
353 ports were not being filterd.  So, SKIP may be getting blocked,
but I 
can't seem to verify it.

How can I test to see if SKIP is blocked ?

Also, any ideas on correcting my problem.

I do know that at the MASTER site, I am able to make a Client to Site
VPN 
connection and have been able to for a long time, so I tend to think
the 
problem is at the SLAVE end.



0
earlh
8/14/2003 4:17:28 PM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

17 Replies
795 Views

Similar Articles

[PageSpeed] 53
Get it on Google Play
Get it on Apple App Store

Also, on the SLAVE server.  I tried unloading IPFLT.  No change.

I then used SET TCP IP DEBUG = 1 on the SLAVE.  I was able to see
inbound 
from the Master port 231 and "OTHER".  Not a lot of them, just a few.

I think I read in another thread that OTHER means the SKIP is not
being 
filtered.



0
earlh
8/14/2003 8:41:35 PM
That error is kind of generic and can result from a number of causes, 

including lack of a VPN license on the server.  Check the licenses.

Also check the HOSTS and HOSTNAME files in sys:etc for accuracy.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***






0
Craig
8/15/2003 4:34:45 AM
hi Earl,

first of all make sure that NAT is not occurring in your slave site.
To do this you can go to one of these web sites that tell you what IP
address you are using, for instance
www.whatismyip.com, and verify that what appears is actually the IP
address bound to the publicNIC at your slave server.

Unfortunately there is no way to verify if SKIP is open or not.
Usually
I tell the ISPs (that often seem to be clueless) that ALL IP protocols

have to be opened, not only TCP, UDP and ICMP. This sometimes makes
them
understand what's needed.

You should also make sure that the slave site is reading the licenses
correctly from the NDS. Check that in the logs (in NWadmn32) you have
a
message that says "a VPN site to site license has been acquired".

--
Cat
Novell Support Connection Volunteer Sysop





0
CSL
8/15/2003 12:17:19 PM
Craig and CSL:

I have been out of town for the last few days.

I will verify/try your suggestions and report back.

Thanks,

Earl

CSL wrote:

> hi Earl,
>
> first of all make sure that NAT is not occurring in your slave site.

> To do this you can go to one of these web sites that tell you what
IP
> address you are using, for instance
> www.whatismyip.com, and verify that what appears is actually the IP
> address bound to the publicNIC at your slave server.
>
> Unfortunately there is no way to verify if SKIP is open or not.
Usually
> I tell the ISPs (that often seem to be clueless) that ALL IP
protocols
> have to be opened, not only TCP, UDP and ICMP. This sometimes makes
them
> understand what's needed.
>
> You should also make sure that the slave site is reading the
licenses
> correctly from the NDS. Check that in the logs (in NWadmn32) you
have a
> message that says "a VPN site to site license has been acquired".
>
> --
> Cat
> Novell Support Connection Volunteer Sysop




0
Earl
8/18/2003 11:17:36 PM
This is bugging me so I didn't wait until I got to work.  I went ahead

and remoted to the Master and Slave servers tonight.  Here's what I
found:

"Also check the HOSTS and HOSTNAME files in sys:etc for accuracy."

What should these two files look like ?

Here's what mine look like (via a text editor):

Slave HOSTNAME:

10.0.x.x  SLAVE_SERVER_NAME.ORGANIZATION.COM

The 10.0.x.x is the private IP of the slave server.



Master HOSTNAME:

10.0.x.x MASTER_SERVER_NAME []12.5.x.x[]

The [] is a single character that looks like a box.  The 12.5.x.x is
the
public IP.  The 10.0.x.x is the private IP of the master.

In the HOSTS file, the names are associated with the private IP
address
of each server.


Here's what my VPN log looks like on the SLAVE server after I ran a
BMOFF.NCF, followed by:

sys:\etc\cpfilter\cpfilter
brdsrv
vpslave

Slave log:

VPNINF is in the process of loading
Skip has been deinitialized
Received a time change notification
VPNINF has been unloaded.
Skip initialzation is complete
VPN site license has been acquired
Started VPNINF.NLM
Started VPSLAVE.NLM
Waiting for connection to master
(SKIP) Construction of SA failed for peer 12.5.xx.xx      (This line
repeats every 30 seconds)

Here's some other things I noticed that might be of interest:

1.  Time is not in sync on the slave server.  It is configured as a
PRIMARY time source.  Should I configure this differently ?  Should I
have time sync ?  (since the other time servers are on the master side
of
the VPN).  This server has a R/W of [Root] and a Master of
..OU=REMOTE.O=MYCOMPANY, with R/W's on two servers at the main office.


2.  The BM3.7 licenses are installed in the same container as the
server.  The "Novell+Bordermanger Site to Site VPN+370, SN:xxxxxxx"
reports "Units in Use" = 0.  Is this correct ?  On my Master server, I

noticed that the Client to Site always reports Units in Use = 0 until
a
client connects, and then it reports 1.  Also, the Proxy license on
the
slave server reports Units in Use = 0, but the Proxy is working.

3.  Should the Slave have a VPTUNNEL ?  On the Master, there is a
VPTUNNEL and a "Configured WAN Call Destination" in INETCFG of
VPTUNNEL@68.88.xx.xx.  It's configured as an IP Relay Tunnel.

4.  When the Master and Slave VPN files were created and imported on
each
server, I had different versions of TCPIP.NLM running on the two
servers.
The Master was 128 bit, the Slave was 56 bit.   I now have the same
version on both servers.  Do I need to regenerate these files and
reinstall them ?

5.  On the Master server, VPN sync is reported as "Up to date" on the
Master and "Being Configured" on the Slave.


Craig Johnson wrote:

> That error is kind of generic and can result from a number of
causes,
> including lack of a VPN license on the server.  Check the licenses.
>
> Also check the HOSTS and HOSTNAME files in sys:etc for accuracy.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://nscsysop.hypermart.net ***




0
Earl
8/19/2003 12:40:23 AM
I also ran NMap for Windows from home.

I ran an IP Protocol Scan.

Protocol 57 (SKIP) reports as open for the public IP of my slave
server.

The command was:

nmap -sO -P0 -O -T 3 68.88.xx.xx

Does this verify that SKIP is running on the slave server and my DSL
ISP
is allowing the protocol to go through ?




0
Earl
8/19/2003 1:51:43 AM
In article <3F41726D.C80D0668@pec1.com>, Earl H wrote:
> What should these two files look like ?

They should have the correct IP address (private side)
> 
> Here's what mine look like (via a text editor):
> 
> Slave HOSTNAME:
> 
> 10.0.x.x  SLAVE_SERVER_NAME.ORGANIZATION.COM
> 
> The 10.0.x.x is the private IP of the slave server.
> 
> Master HOSTNAME:
> 
> 10.0.x.x MASTER_SERVER_NAME []12.5.x.x[]
> 
> The [] is a single character that looks like a box.  The 12.5.x.x is
the
> public IP.  The 10.0.x.x is the private IP of the master.

This doesn't sound good.  The slave sounds fine.

Incidentally, you don't need to hide the address here as a 10.0.x.x
address 
is not a public IP address to start with.  (Is that a dummy address
for 
this posting, or are you doing this across a private WAN link? 
10.x.x.x 
addresses will not route over the Internet, and if those really are
your 
public IP addresses, it indicates that NAT is being used at the
routers, 
and site-site VPN will not work across NAT).


> 1.  Time is not in sync on the slave server. 

It should be within a minute (theoretically within an hour) of the
other 
VPN server.  That is, the UTC times should match closely as possible. 

Whether it is in timesync is not, I think, quite so important as that
the 
time itself is not off too far.

> 2.  The BM3.7 licenses are installed in the same container as the
> server.  The "Novell+Bordermanger Site to Site VPN+370, SN:xxxxxxx"
> reports "Units in Use" = 0.  Is this correct ?  On my Master server,
I
> noticed that the Client to Site always reports Units in Use = 0
until a
> client connects, and then it reports 1.  Also, the Proxy license on
the
> slave server reports Units in Use = 0, but the Proxy is working.
> 
The master's licenses should be in a replica for which the master is
on the 
same side of the VPN as the master VPN server.  (Preferably the VPN
server 
itself is the master of that replica ring).  The slave's licenses need
to 
be in a master replica on the slave side of the VPN.

> 3.  Should the Slave have a VPTUNNEL ? 

That will show up once the servers talk to each other, and get past
the 
first stages of VPN communications.
> 
> 4.  When the Master and Slave VPN files were created and imported on
each
> server, I had different versions of TCPIP.NLM running on the two
servers.
> The Master was 128 bit, the Slave was 56 bit.   I now have the same
> version on both servers.  Do I need to regenerate these files and
> reinstall them ?

I think I would go ahead and reconfigure the VPN there, to be sure.
> 
> 5.  On the Master server, VPN sync is reported as "Up to date" on
the
> Master and "Being Configured" on the Slave.

You might have filtering issues here - try a quick test by dropping
the 
filters on each system if you have time close and licenses where they 

should be.  A stock BM 3.7 server did not have the correct default 
exceptions in place to make VPN work.  If you have the BM37SP2 patch,
you 
can run BRDCFG again, and it will add new exceptions. (Those exception
may 
be totally different than what you expect to see if used to 3.6...)


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***




0
Craig
8/19/2003 4:51:31 AM
In article <3F418319.DBFD211@pec1.com>, Earl H wrote:
> Does this verify that SKIP is running on the slave server and my DSL
ISP
> is allowing the protocol to go through ?
>
Probably.  (I'm not 100% sure).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***




0
Craig
8/19/2003 4:51:31 AM
I'm using a private address of 10.0.1.10 (subnet mask 255.255.255.0)
on the
Master VPN server and 10.0.6.10 on the Slave VPN server.  The public
IPs are
12.5.xx.xx on the Master and 68.88.xx.xx on the slave.  I am using
real numbers
in place of the 'xx' parts.

The VPN tunnel addresses are 10.0.99.1 for the Master and 10.0.99.6
for the
Slave.

My Master server has been in place for a while and is working fine as
far as
"Client to Site VPN".  It also uses NAT for our email server via a
secondary IP
address.  The slave does not use any NAT at this time, but I do have
Static and
Dynamic NAT turned on in INETCFG.  I did this because I have added two
NAT
entries for future web and FTP servers using secondary IP addresses.

I feel comfortable that my Master server is configured correctly, but
the weird
squares '[]' in the the HOSTNAME seems incorrect.



> Incidentally, you don't need to hide the address here as a 10.0.x.x
address
> is not a public IP address to start with.  (Is that a dummy address
for
> this posting, or are you doing this across a private WAN link? 
10.x.x.x
> addresses will not route over the Internet, and if those really are
your
> public IP addresses, it indicates that NAT is being used at the
routers,
> and site-site VPN will not work across NAT).
>

The time of the slave is within one minute of the master server's
time.

If I type TIME, the time is not in sync on the slave.  I was just
concerned
that it should be in sync and that I should temporarily change it from
a
PRIMARY time source to a SINGLE to get the "in sync" message.

> > 1.  Time is not in sync on the slave server.
>
> It should be within a minute (theoretically within an hour) of the
other
> VPN server.  That is, the UTC times should match closely as
possible.
> Whether it is in timesync is not, I think, quite so important as
that the
> time itself is not off too far.
>

My replicas are the way you stated.  Master replica of Master VPN
server is on
that server, and the master replica of the Slave VPN server is on the
slave
server.

>
> > 2.  The BM3.7 licenses are installed in the same container as the
> > server.  The "Novell+Bordermanger Site to Site VPN+370,
SN:xxxxxxx"
> > reports "Units in Use" = 0.  Is this correct ?  On my Master
server, I
> > noticed that the Client to Site always reports Units in Use = 0
until a
> > client connects, and then it reports 1.  Also, the Proxy license
on the
> > slave server reports Units in Use = 0, but the Proxy is working.
> >
> The master's licenses should be in a replica for which the master is
on the
> same side of the VPN as the master VPN server.  (Preferably the VPN
server
> itself is the master of that replica ring).  The slave's licenses
need to
> be in a master replica on the slave side of the VPN.
>

OK.  I am not seeing the VPTUNNEL at this time

>
> > 3.  Should the Slave have a VPTUNNEL ?
>
> That will show up once the servers talk to each other, and get past
the
> first stages of VPN communications.
> >

I will reconfigure and swap/install the files again to be sure.

>
> > 4.  When the Master and Slave VPN files were created and imported
on each
> > server, I had different versions of TCPIP.NLM running on the two
servers.
> > The Master was 128 bit, the Slave was 56 bit.   I now have the
same
> > version on both servers.  Do I need to regenerate these files and
> > reinstall them ?
>
> I think I would go ahead and reconfigure the VPN there, to be sure.
> >
> > 5.  On the Master server, VPN sync is reported as "Up to date" on
the
> > Master and "Being Configured" on the Slave.
>

I am running BM37SP2, but I may have ran BRDCFG before applying the
patch.  I
can't remember.
I will try running BRDCFG again.

>
> You might have filtering issues here - try a quick test by dropping
the
> filters on each system if you have time close and licenses where
they
> should be.  A stock BM 3.7 server did not have the correct default
> exceptions in place to make VPN work.  If you have the BM37SP2
patch, you
> can run BRDCFG again, and it will add new exceptions. (Those
exception may
> be totally different than what you expect to see if used to 3.6...)
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://nscsysop.hypermart.net ***




0
Earl
8/19/2003 11:00:03 AM
The NMap program shows 1 through 200+ as OPEN, so it appears to me
that my ISP
is allowing those protocols and is not filtering them.

Craig Johnson wrote:

> In article <3F418319.DBFD211@pec1.com>, Earl H wrote:
> > Does this verify that SKIP is running on the slave server and my
DSL ISP
> > is allowing the protocol to go through ?
> >
> Probably.  (I'm not 100% sure).
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://nscsysop.hypermart.net ***




0
Earl
8/19/2003 11:01:28 AM
OK.

Here's what I have tried:

1.  Regenerated MINFO.VPN and SINFO.VPN.  Install MINFO.VPN on slave 
server.  Deleted slave cfg from master and reinstalled using new
SINFO.VPN.

Still no luck.

2.  Ran BRDCFG on slave server.  Recreated the filters.

Still no luck.

3.  Unloaded IPFLT on both servers.

Still no luck.




> In article <3F41726D.C80D0668@pec1.com>, Earl H wrote:
> > What should these two files look like ?
> 
> They should have the correct IP address (private side)
> > 
> > Here's what mine look like (via a text editor):
> > 
> > Slave HOSTNAME:
> > 
> > 10.0.x.x  SLAVE_SERVER_NAME.ORGANIZATION.COM
> > 
> > The 10.0.x.x is the private IP of the slave server.
> > 
> > Master HOSTNAME:
> > 
> > 10.0.x.x MASTER_SERVER_NAME []12.5.x.x[]
> > 
> > The [] is a single character that looks like a box.  The 12.5.x.x
is 
the
> > public IP.  The 10.0.x.x is the private IP of the master.
> 
> This doesn't sound good.  The slave sounds fine.
> 
> Incidentally, you don't need to hide the address here as a 10.0.x.x 

address 
> is not a public IP address to start with.  (Is that a dummy address
for 
> this posting, or are you doing this across a private WAN link? 
10.x.x.x 
> addresses will not route over the Internet, and if those really are
your 
> public IP addresses, it indicates that NAT is being used at the
routers, 
> and site-site VPN will not work across NAT).
> 
> 
> > 1.  Time is not in sync on the slave server. 
> 
> It should be within a minute (theoretically within an hour) of the
other 
> VPN server.  That is, the UTC times should match closely as
possible.  
> Whether it is in timesync is not, I think, quite so important as
that 
the 
> time itself is not off too far.
> 
> > 2.  The BM3.7 licenses are installed in the same container as the
> > server.  The "Novell+Bordermanger Site to Site VPN+370,
SN:xxxxxxx"
> > reports "Units in Use" = 0.  Is this correct ?  On my Master
server, I
> > noticed that the Client to Site always reports Units in Use = 0
until a
> > client connects, and then it reports 1.  Also, the Proxy license
on the
> > slave server reports Units in Use = 0, but the Proxy is working.
> > 
> The master's licenses should be in a replica for which the master is
on 
the 
> same side of the VPN as the master VPN server.  (Preferably the VPN 

server 
> itself is the master of that replica ring).  The slave's licenses
need 
to 
> be in a master replica on the slave side of the VPN.
> 
> > 3.  Should the Slave have a VPTUNNEL ? 
> 
> That will show up once the servers talk to each other, and get past
the 
> first stages of VPN communications.
> > 
> > 4.  When the Master and Slave VPN files were created and imported
on 
each
> > server, I had different versions of TCPIP.NLM running on the two 
servers.
> > The Master was 128 bit, the Slave was 56 bit.   I now have the
same
> > version on both servers.  Do I need to regenerate these files and
> > reinstall them ?
> 
> I think I would go ahead and reconfigure the VPN there, to be sure.
> > 
> > 5.  On the Master server, VPN sync is reported as "Up to date" on
the
> > Master and "Being Configured" on the Slave.
> 
> You might have filtering issues here - try a quick test by dropping
the 
> filters on each system if you have time close and licenses where
they 
> should be.  A stock BM 3.7 server did not have the correct default 
> exceptions in place to make VPN work.  If you have the BM37SP2
patch, 
you 
> can run BRDCFG again, and it will add new exceptions. (Those
exception 
may 
> be totally different than what you expect to see if used to 3.6...)
> 
> 
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on 
> BorderManager, go to http://nscsysop.hypermart.net ***
> 




0
EarlH
8/19/2003 3:36:12 PM
OK.  I talked to SBC today (my ISP) and they said that they do not
filter 
any protocols.  So hopefully that is true and SKIP is working.

Here's something I ran across that seems very strange to me.

The public IP of my SLAVE is 68.88.xx.41.  The 'xx' is an actual
number.  
I am not using 'xx'.

The default gateway of my SLAVE is 68.88.xx.46.

The private IP of my MASTER is 10.0.1.10.

If I run a TRACERT to 68.88.xx.46 (default gateway)from a workstation
on 
the network behind the MASTER BM server, it works fine.  The route 
completes and all hops are shown.

If I then run a TRACERT to 68.88.xx.41 (Slave Server), the first hop
is 
10.0.1.10 (private side of Master BM server), then it times out with 
asterisks (*  *  *).

I can go to visualroute.com and trace to 68.88.xx.41 just fine.

I then added a secondary IP to the slave server of 68.88.xx.42 and it 

traces from the workstation (Master site) just fine.

So, I rebooted the Master server and tried it without BRDSRV or
VPMASTER 
loaded.  It timed out.  I tried it with IPFLT unloaded.  It timed out.


I have searched everywhere for a bad route, but I can't find it.

Is this normal ??????????????

Where should I search to find this problem ?





0
EarlH
8/19/2003 11:00:10 PM
FINALLY !  I made a site to site connection.

I had tried running VPNCFG (several times) to recreate the master and
slave
setup, along with recreating the filters.  I also tried unloading
IPFLT on
both the Master and Slave servers.

Then, today, I thought I would try adding a filter rule that allowed
ANY IP
(source or destination) traffic from the Master server to the Public
IP of the
Slave server, and ANY IP (source or destination) from the Slave to the
Public
IP of the Master.

This worked, and my Site to Site VPN connected.  Then I had some
errors on the
Master relating to packets not taking the correct path to the Public
IP on the
Slave and the tunnel would eventually fail and close.  It appeared to
be
taking the Tunnel as the least cost route to the public IP.  So, I
disabled
RIP on both servers and that error went away.

So, now my VPN works, but I am allowing any IP traffic between the
Public IP
of the Master and Slave.  Basically, here are the rules:

Master Server:   (68.88.xx.xx is the Public IP of the SLAVE.  The 'xx'
are
actual numbers.)
    EXCLUDE ENABLED NOLOG, INTRFACE:<Any>, IP:pid=IP, INTRFACE:<Any>
IP:68.88.xx.xx, TEST2
    EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:68.88.xx.xx, IP:pid=IP,
INTRFACE:<Any>, TEST1

Slave Server:   (12.5.xx.xx is the Public IP of the Master.  The 'xx'
are
actual numbers.)
    EXCLUDE ENABLED NOLOG, INTRFACE:<Any>, IP:pid=IP, INTRFACE:<Any>
IP:12.5.xx.xx, TEST2
    EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:12.5.xx.xx, IP:pid=IP,
INTRFACE:<Any>, TEST1

I would feel much better if I had the allowable IP ports locked down
to only
the one's I need.

Would someone please tell me what rules I should have at both the
Master and
Slave servers ?

Obviously the preconfigured VPNCFG.NLM created rules are not enough or
are
incorrect.

I also find it interesting that unloading IPFLT on both ends did not
work ?




0
Earl
8/21/2003 1:50:38 AM
I'm working on a similar issue.

Before the VPN gets configured, can the servers ping each other (with 

filters down or icmp exception in place)?  Public IP address to public

IP address, that is.

The first step of the vpn configuration can fail for a number of 
reasons, and one is if the public sides cannot communicate (VPMASTER
to 
VPSLAVE) - sometimes due to a filtering issue.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***




0
Craig
8/21/2003 9:12:52 AM
In article <_Zx0b.5946$586.126@prv-forum2.provo.novell.com>,  wrote:
> If I then run a TRACERT to 68.88.xx.41 (Slave Server), the first hop
is 
> 10.0.1.10 (private side of Master BM server), then it times out with

> asterisks (*  *  *).
>
TCPCON show an odd route for that host?

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***




0
Craig
8/21/2003 9:12:52 AM
In article <3F4425F0.2426A6F4@pec1.com>, Earl H wrote:
> Would someone please tell me what rules I should have at both the
Master and
> Slave servers ?
> 
I have them all listed in my BMgr book, but essentially for site-site
VPN, you 
need TCP port 213 in both directions, including responses.  Plus SKIP.


> Obviously the preconfigured VPNCFG.NLM created rules are not enough
or are
> incorrect.

Actually, I think VPNCFG adds filters for routing protocols, but not 
exceptions.  And a 'raw' BMgr 3.7 installation will indeed have
missing filter 
exceptions (no outbound replies to inbound VPN traffic) - BRDCFG can
fix that.
> 
> I also find it interesting that unloading IPFLT on both ends did not
work ?

So do I - perhaps you didn't wait long enough for the VPN to retry? 
When it 
fails, it retries every 15 minutes to reconfigure.


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://nscsysop.hypermart.net ***




0
Craig
8/21/2003 9:12:52 AM
You are probably right.  I only had IPFLT unloaded for a few minutes. 
Had I
waited, it probably would have worked.

I have your book (very useful tool).  I should have looked there first
for the VPN
filter exceptions.

I did rerun BRDCFG on the slave, but not the master.  I have Client to
Site on the
Master and it is working.  So I was afraid to run BRDCFG on that
server again.

Thank you for all your help.


>
> > I also find it interesting that unloading IPFLT on both ends did
not work ?
>
> So do I - perhaps you didn't wait long enough for the VPN to retry? 
When it
> fails, it retries every 15 minutes to reconfigure.
>




0
Earl
8/21/2003 12:08:17 PM
Reply:

Similar Artilces:

(SKIP) Construction of SA failed for peer xx.xx.xx.xx #2
Hi, some time ago i tested VPN server to server connection, for server with address 172.22.81.189(Master1) it was OK. Than I removed VPN configuration on Slave1 server and from NWAdmin on Master(172.22.81.189). Today I created VPN server to server with same server which was Slave before, but now it is a Master2 server. I have also new Slave2 server and when I look in Audit via NWAdmin there are lines (SKIP) Construction of SA failed for peer 172.22.81.189 but this server is no longer member of this VPN !!! Could somebody tell me wher could be this info saved? Thanks Ale...

Construction of SA failed for peer xx.xx.xx.xx
Hi, We use BM37 for site-to-site VPN. On the slave's audit log, we got such message: (SKIP) Constuction of SA failed for peer xx.xx.xx.xx The IP adress is the ip of hosts behind the vpn slave. The audit message has explanation: "IPSEC failed to set up a Security Association with the indicated connection causing packets to be dropped.", and has Action suggestion: check for possible out of memory conditions. The server we used is a brand new with a few GB RAM. The action seems making no senses for me. I tried to search the KB, found nothing. Any sugges...

/MH-xx.xx.xx.xx
I use Verizon DSL and they require a username/password to use their outgoing smtp server. Too many hosts reject my e-mail because of my dynamic IP. Does GW6.5 allow a username/pswd combo to log in to an ISP's SMTP server? Hi, Tried looking at the Dial-up settings on the SMTP tab of the GWIA properties? Mike > I use Verizon DSL and they require a username/password to use their outgoing > smtp server. Too many hosts reject my e-mail because of my dynamic IP. > Does GW6.5 allow a username/pswd combo to log in to an ISP's SMTP server? > > Michael...

zisedit DNSServer1=xx.xx.xx.xx
I recently installed the Zenworks 7 SP1 HP2 and modified the bootcd for our environment. I use a script to change the ZISD on the machine, this is the tail end of my past script for setting the DNS Servers: zisedit DNSServerCount=4 zisedit DNSServer1=35.8.208.41 zisedit DNSServer2=35.8.2.41 zisedit DNSServer3=35.8.2.42 zisedit DNSServer4=35.8.98.43 This worked fine without HP2. However, when using the HP2 bootcd `zisedit DNSServer1=35.8.208.41` outputs the error: Unknown parameter (0): 'DNSServer1=35.8.208.41' I've been searching through forums and even the or...

Send Failure: 421 mails from xx.xx.xx.xx refused: local dynamic IP address xx.xx.xx.xx
--____WVRGWAXLCBHMONRQBWTO____ Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Wed, 5 Jun 2007 06:54:16 -0400" We are running GW 7.01 and have been for about 3 months. This problem = first surfaced about 2 weeks ago. Our dns records are correct, but this = one ISP that hosts email for several of our customers is rejecting our = mail for the above reason. They are claiming we have an invalid configurat= ion, but no one else rejects email from us because of this. They claim we = ...

https://xx.xx.xx.xx/BM-Login/?"http://yourwebsite
I am having a problem after reinstalling netware enterprise webserver 3.5.2 from the nw51 cd. Starting your webbrowser there is no automatic redirection to the BM-Login page. When typing it by hand it's working ok. Idea's we are running netware 5.1 sp6 BM 3.6 sp2a Evert In article <KQF2d.13063$oo4.7807@prv-forum2.provo.novell.com>, wrote: > Starting your webbrowser there is no automatic > redirection to the BM-Login page. When typing it by hand it's working ok. > What do you mean, 'typing it by hand'? If you are looking for the SSL Prox...

format input string to xxx.xx.xx.xx
Hello  Everyone,  Here is the issue I am working on: input: 1 or 1.1 or 1.2.3 or 001.02.03.01 expected output in the format: 000.00.00.00 and the numbers get populated from left to right. meaning if input was 1.2, the output would/should be: 001.02.00.00 How can I do this? Regex? string.format??? This is in c# Thanks in advance.    You are going to have to write a method that splits up the number and builds up the number in your format.  It looks like you should split the string of numbers at each '.' and then concatenate the sp...

AuthClient # 0 (xx.xx.xx.x): GetCH: Alloc for user name fail
Bordermanager 3.9 on Netware 6.5 SP8 Configured VPN server and Client to Site service. When a client attempts to connect, the following error is displayed: "Authentication gateway failed to verify entered parameters." "A general error was reported by the authentication gateway." The log shows the following: A connection was opened for a VPN client at address xx.xx.xx.x. 2011-07-05 09:34:56 VPN client user name at address xx.xx.xx.x is xxxxxxxxxxxxx. 2011-07-05 09:34:56 AuthClient # 0 (xx.xx.xx.x): GetCH: Alloc for user name failed. 2011-07-05 09:34:58 C...

ERROR: "client xx.xx.xx.xx#xxxx: update 'zone name/IN' deni
Seeing this error on DNS console. TID 10086933 option 3 says Go to the Control List for the zone affected and add the ip address of the device trying to update DNS in the "Allow Update" list. However there is no such 'Control List' option in the DHCP console. Where do I find it? Thanks Lenny -- lennyd ------------------------------------------------------------------------ Lenny, > However there is no such 'Control List' option in the DHCP console. > Where do I find it? What version of the DNS/DHCP console are you using? Wi...

421 4.7.0 [TS02] Messages from xx.xx.xx.xx temporarily deferred due to user complaints
--____QNBRMLBZKGHSTVVBHGKM____ Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Sat, 11 Apr 2008 04:50:38 -0400" We are running GW 7.0.1. We have been seeing this error for about 3 days. = Does anyone have any idea if there is anything I can do to stop these = errors? It is causing our customer service problems discussing customer = instructions. This can cause us to miss deadlines or to make mistakes. 03:18:20 326 DMN: MSG 45893 Send Failure: 421 4.7.0 [TS02] Messages from = ...

xx
xx yy "Peter Stojkovic" <Peter.Stojkovic@gmx.net> wrote in message news:3f4de929$1@forums-2-dub... > xx > ...

xx
Name: Alessandro Barbier Email: alessandro_at_creazione-web.it Product: Bon Echo Summary: xx Comments: xx Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1 ...

xx
Name: megatruh Email: sebastiandotmegatruhatyahoodotcom Product: Firefox Summary: xx Comments: good product! i like it Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

DHCP client <x:x:x:xx:xx:xx> did not select this server
Moving DHCP from NW6-SP4 to NW65-SP2. When new server loads service we are getting "DHCP client <x:x:xx:xx:xx:xx> did not select this server". Workstations Windows XP SP1 with ZENWorks 4.01 agent. , > Moving DHCP from NW6-SP4 to NW65-SP2. When new server loads service we are > getting "DHCP client <x:x:xx:xx:xx:xx> did not select this server". > Workstations Windows XP SP1 with ZENWorks 4.01 agent. Sounds like you have two DHCP servers serving the same subnet. If that is the case then the message would indicate that the client asked, ...

Mail error: Syntax error in parameters or arguments. The server response was: 5.7.1 xx@xx.xx... Permission Denied
I am using VS2008 3.5 framework SP1, Windows Web Server 2008 3.5 SP1, and a separate mail server using Windows 2000 OS and Merak Mail. I sent mail all the time from my windows 2000 web site to the mail server, but this is the first attempt I've tried to send mail from my new windows 2008 web server.  I'm having a problem with mail feature. I get this error when trying to send: >>Syntax error in parameters or arguments. The server response was: 5.7.1 xx@xx.xx... Permission Denied Here is my web config as per the below project, which I emulated to make sure I was do...

The real problems in 1.xx and 2.xx...
Having been in industry, technology, product testing and software development managing, and intensely used SeaMonkey 1.xx, I still see in in SeaMonkey 1.1.7 that critical in-between failure or situation... Version 1.xx, is already too old and already too far behind the times to REALLY be of use, especially by those that do not or can not stand Firefox 2.x or what seems to be coming up in the impending Firefox 3. One prime example is 1.x and 2.x's better security and the Composer functions... simply superb to say the least. Yet by the time that the current 1.xx becomes ...

Upgrade 6.5.1 to 7.xx.xx
Hi there, I'm currently running PB 6.5.1 with some EBF's. I'd like to know if I should upgrade to 7.xx.xx and if so to wich version?? What abaout stabability? I'm using MSSQL 7.0 as db. TIA Dan ...

Set to Execute at xx:xx o'clock
I may be in the wrong forum, but this is the only one I know well... I have a Windows Service that I want to execute at 12pm and 5pm. Can I do this with the timer class, or is there some way to trigger it? Thanks for your help, Grier Hello, to do so, you can use Windows Schedular. regards.Bilal Hadiar, MCP, MCTS, MCPD, MCTMicrosoft MVP - Telerik MVP So I just make an executable and register it with Windows Scheduler?...

Firefox transition ver 2.XX to 3.XX
Name: John Aranibar Email: jaranibaatbigponddotnetdotau Product: Firefox Summary: Firefox transition ver 2.XX to 3.XX Comments: To whom it may concern, First of all I'm not sure if I am in the right area, but none then less, please accept my most sincere congratulations for to all of you for a job well done. Now, to the no so good, I have a small question, on Firefox 2.xx the menu to organice the bookmarks is quiet easy to use, especially when there is a need to delete bookmarks, on version 3.xx I found that I can not delete a bookmark. is it because is the default &quo...

ASA 6.xx / 7.xx Max onnections
Hi. What is the maximum connection that I can maintain in ASA 6.xx or 7.xx with normal Performance, Working on NT with system hardware as follows: 2 Processors of type PIII 600/750 or more 256-512Mb RAM SCSI drives. Can it hold 70 working connections on the same time? Best Regards. Yossi Zaig. Asakim LTD. > Can it hold 70 working connections on the same time? Yes, easily Now the more important question... Are all the 70 users connected performing inserts OR are they ALL performing 30 table joins at the same time? The real question is what load the connect...

OBJECT_NOT_EXIST (Session/lookup
I have a test cluster with two servers and one of the servers lease expired. I have installed the same version of Jaguar as the other server in the cluster and the servers have the same name and listeners, when I tried syncing the cluster to the new server ( which kept the old servers name and ip) I started getting the SystemException: OBJECT_NOT_EXIST (Session/lookup - @XXX.XX.X.XX) message whenever the server was called. I have tried deleting the cluster and recreating it and that didn't help. I have tried syncing from the new server making it the primary and that seems to have...

Mailer-Daemon@xxx.xxxxxxx.xx.xx (user not found)
Hi! We are using GW5.5. During the last days, me (postmaster) and ADMIN are receiving every 1-3 seconds mails same as the following one. Please help to stop this avalanche. TIA Nanu ------------- The mail example --------------------------------------- MAIL FROM:<admin@frogo.bezeqint.net> RCPT TO:<Mailer-Daemon@mail.kalmanovitz.co.il> Received: from frogo.bezeqint.net by mail.kalmanovitz.co.il; Tue, 25 May 2004 10:57:15 +0300 To: Mailer-Daemon@mail.kalmanovitz.co.il From: admin@frogo.bezeqint.net Subject: Returned mail: unreachable recipients: admin@frog...

ValidationExpression URL allow http://xxx.xx?xx=x
I have ValidationExpression="http://([\w-]+\.)+[\w-]+(/[\w- ./?%&amp;=]*)?" I would just like to allow not having a slash before a question mark in a URL. I have the list of the Regular Expression Syntax (JScript), but I think it is really complicated to change anything. If I just have ValidationExpression="http://" I still are not allowed to have a link like http://tni.dk?ref=1506764. Can anybody help?Jørgen A.J. ...

Mailer-Daemon@xxx.xxxxx.xx.xx (user not found)
Hi! I know that GW5.5 is out dated but maybe any of you can help, or maybe the problem exist in 6.x versions too. During the last days, me (postmaster) and ADMIN are receiving every 1-3 seconds mails same as the following one. Please help to stop this avalanche. TIA Nanu > ------------- The mail example --------------------------------------- > > MAIL FROM:<admin@frogo.bezeqint.net> > RCPT TO:<Mailer-Daemon@mail.kalmanovitz.co.il> > Received: from frogo.bezeqint.net > by mail.kalmanovitz.co.il; Tue, 25 May 2004 10:57:15 +0300 ...

Web resources about - (SKIP) Construction of SA failed for peer xx.xx.xx.xx - novell.bordermanager.vpn

Construction - Wikipedia, the free encyclopedia
Construction starts with planning, design, and financing and continues until the structure is ready for occupancy. Far from being a single activity, ...

Construction - Wikipedia, the free encyclopedia
Construction starts with planning, design, and financing and continues until the structure is ready for occupancy. Far from being a single activity, ...

Construction - Wikipedia, the free encyclopedia
Construction starts with planning, design, and financing and continues until the project is built and ready for use. Large scale construction ...

Steve Wyatt becomes second man killed on new Royal Adelaide Hospital construction site
WORKERS have voted to walk off the new RAH site until tomorrow, following the death of a grandfather in an industrial accident.

Construction workers targeted over 'vigilante' walkout
More than 50 Victorian construction workers have been targeted by the federal building sector watchdog and face heavy fines for disrupting a ...

The trade-off for meeting construction deadlines is bigger salaries
If you reckon an annual salary of $168,000 a year for construction work sounds like a lot, it is.

Maritime Union of Australia delegates vote in favour of merging with Construction, Forestry, Mining and ...
The Maritime Union of Australia votes in favour of a proposal to merge with the Construction, Forestry, Mining and Energy Union.

Revealing the details of planetary construction zones
The dust around the binary star system HD 142527. (credit: ALMA ) At the meeting of the American Association for the Advancement of Science, ...

Tesla Gigafactory construction workers are walking off the job in protest
Construction workers at the Tesla Gigafactory site in Nevada walked off the job today, reports local news station KOLO . As part of the protest, ...

Construction Spending increased 1.5% in January
The Census Bureau reported that overall construction spending increased 1.5% in January compared to December: The U.S. Census Bureau of the Department ...

Resources last updated: 3/4/2016 11:02:32 AM