PPTP protocol configuration between NSM and ISGs

09.20.11   |  
‎09-20-2011 01:37 AM

Hi, hoping someone on here may be able to help, as have quite a frustrating issues between NSM and a set of ISG2000's (well this is one of the grips, I see from the forums that there are a vast number of issues that I have yet to experience!)


Basically a policy in NSM allows the PPTP service to be used between a node on the Trust zone and a node on the Untrust zone.  Looking at PPTP on NSM, it includes TCP1723 and GRE(0-65535) - whcih is great!


However on pushing this policy to a set of ISGs, and testing the policy, the logs on NSM show that the GRE protocol is being dropped!


Adding the GRE specific service (1-65535) from NSM into the policy enables the traffic, and the connection completes.


On further investigation, it appears the ISG PPTP defined service only includes TCP1723, and not GRE, surely this is a flaw between NSM and the ISGs?


Has anyone else come across this issue, and does anyone know of a resolution or if it affects any other protocols/services?


For info ISGs are running 6.3.0r4 and NSM 2011.1



Production: Clustered SA6500-FIPS running 6.5r2
Development: Single SA2000 running 7.1r1