I’ve been working a problem for several weeks now between vendor X’s UTM device and vendor Y’s firewall device. To bring you up to speed; we recently started deploying UTM devices to our satellite offices. Since each of our offices has its own link to the Intarweb, we have a VPN mesh for inter-office connectivity. The VPN’s all terminate at the firewalls and UTM’s.

The rub comes when the devices need to work out a problem with the VPN connection. If one side doesn’t adhere to the RFC then the other side won’t know what it’s saying.

That’s exactly the problem I’m running into now. One side drops the IPSEC tunnel but the other side doesn’t get properly notified. One side continues to send traffic encrypted with a now-dead SA and the other side discards the traffic. The problem gets worse because the ISAKMP tunnel remains up so one device continues to try to set up ‘quickmode’ and gets itself worked into an infinite loop where it won’t remove the old tunnel nor can it establish a new tunnel and lo and behold we have a link down until we manually flush all SA’s for the link.

This is one argument in favor of homogenous layouts but then you have the problem of complete exposure when your appliance model has a vulnerability.

Damed if you do, damned if you don’t.

For more information about this topic

• No Related Post