- Reference to VoIP FAQ for SIP-Helper
- MAC address of an interface
- Rename interface via CLI
General
Credentials
The credentials to the UTM are no longer known. Can the password be reset?- Answer
- Solution
After restoring the configuration of the UTM, the password can be adjusted.
A backup of the current configuration is required for this process.
Initial setup
What is recommended before the initial setup?- Answer
CLI commands
Is there any documentation of the CLI commands?- Answer
Throughput rates
Is there any information on the throughput rates of the different appliances?- Answer
Server settings are not saved
Server settings cannot be saved due to missing SNMP entry.- Cause
- Solution
Deactivate SIM PIN request
How can the SIM PIN query be deactivated?- Answer
This is described here.
Install UTM Image
How can the UTM image be installed on a UTM?- Answer
Convert certificates
How can a certificate be converted?- Answer
- Conversion DER (.crt .cer .der) to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem
- Conversion PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
- Convert PKCS#12 (.pfx .p12) with private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
- Convert PEM with private key to PKCS#12 (.pfx .p12): openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
With -nocerts only the private key is output
.
Unwanted call of speedport.ip
HTTP pages are redirected to speedport.ip- Initial situation
- Explanation
- Cause
- Solution
- The simplest would be to connect a client directly to the Speedport to confirm the message.
- Since the problem comes from the fact that the internal network cannot resolve the IP of the Speedport, a forward zone is simply created. The following steps are necessary for this:
- Under Zones Button a forward zone must be added with the following settings:
- ZoneName: speedport.ip
- Nameserver Hostname: ns
- IP address: We want to provide the nameserver ourselves.
Tab - Under Entries you will now find a type with the value ns.. The dot after the ns must be removed.
The foreward zone that has just been created must then be edited:
- Now two A-records have to be created:
- 1st A-record:
- name: ns
- type:
- value: IP of internal-interface
This is needed for the internal network to resolve the speedport.ip page.
This only works if the clients have entered the Securepoint UTM as DNS server.
- 2nd A-Record:
- Name: speedport.ip.
- type:
- value IP of the Speedports router.
- 1st A-record:
- Under Zones Button a forward zone must be added with the following settings:
Switch PPPoE to Router Connection
What should be considered when changing the Internet connection from a PPPoE connection to a router connection?- Answer
Read out PPPoE access data
Can the PPPoE access data be read out?- Answer
LOAD
What exactly does the LOAD denote?- Answer
- LOAD is the number of processes that are waiting or being executed at the same time for processing (CPU or IO).
- The number is always an integer - in contrast to the Load Average, the average value of the last 1, 5 or 15 minutes
- If the LOAD Average is higher than the number of processors or threads in all processors of a system over a longer period of time, the system is slowed down.
- Short-term peaks are not uncommon
- The load average should not exceed 3/4 of the number of processors in the medium term
Network
Evaluate network traffic
How can the network traffic be evaluated?- Answer
With an SSH programme and the user "root", the following options are still available:
IPSec connection does not establish
The IPSec connection does not establish- Answer
- Check whether the recommendations have been complied with → IPSec S2S Recommendations
- Check the log messages in the livelog → IPSec Troubleshooting
- Are there port forwarders that forward the packets to a device behind the UTM?
- With an SSH program and the user "root", you can use tcpdump to check whether the IPSec packets arrive on the WAN interface:
tcpdump -i eth0 -nnp host IP address of the remote gateway
No communication with a Site2Site connection
The site-to-site connection is established, but communication does not work- Answer
- First, check whether port filter rules have been created for the networks.
For IPSec connections, both options should be activated in the implicit rules. - If packets with port 80 (HTTP) do not arrive, the transparent HTTP proxy can intercept the packets. An exclude must then be created for this.
- The target device may not be able to accept the packets because they come from another subnet. Either adjust the firewall of the target or create a port filter rule with a HideNat on the internal interface.
To check the paths of the packets, WireShark can be used for this purpose, or alternatively tcpdump can be used with an SSH program and the user "root".
Example of a tcpdump on interface eth1, seeing the IP addresses and ports and filtering packets with protocol 1 (ICMP Echo Request): tcpdump -i eth1 -nnp proto 1
HTTPS web pages are not detected by the web filter
HTTP web pages are filtered by the web filter, HTTPS are not- Cause
- Solution
Disconnections with Lancom routers
Aborts with VPN connections with upstream Lancom router- Solution
Rename interface
How can I rename an interface of the UTM?- Solution
1. Determine the ID of the interface:
interface get id |name |type |flags |qos |zones |options |adi |state 156|A0.7 |VLAN | | | |vlan_id=7,vlan_parent=A0 |mac=00:01:02:03:04:05,mtu=1500 |UP
2. ID can then be used to customize the name:
interface rename id 156 name A99.7
3. Testing
interface get id |name |type |flags |qos |zones |options |adi |state 156|A99.7 |VLAN | | | |vlan_id=7,vlan_parent=A0 |mac=00:01:02:03:04:05,mtu=1500 |UP
Determine MAC address
How can I find out the MAC address of an interface of the UTM?
- Answer
Allow iTunes
How can I ensure online access for iTunes?
- Answer
The following entries are necessary in the virus scanner allowlist of the HTTP proxy to allow iTunes to communicate correctly with the internet in certain setups.
^[^:]*://[^\.]*\.service\.gracenote\.com/ ^[^:]*://[^\.]*\.mgr-mid\.gcsp\.cddbp\.net/ ^[^:]*://[^\.]*\.mgr\.gcsp\.cddbp\.net/ ^[^:]*://[^\.]*\.gcsp\.cddbp\.net/ ^[^:]*://[^\.]*\.cddbp\.net/ ^[^:]*://updates-http\.cdn-apple\.com/
Firewall
Unload SIP Helper
How can the SIP Helpers be unloaded?- Answer
- Loading the SIP helper via CLI should actually no longer be necessary.
This happens automatically with the use of the VoIP service group in the port filter.
Further details under VoIP FAQ
debug kmod unload module nf_nat_sip
debug kmod unload module nf_nat_h323
debug kmod unload module nf_conntrack_sip
debug kmod unload module nf_conntrack_h323
debug kmod load module nf_nat_sip debug kmod load module nf_nat_h323 debug kmod load module nf_conntrack_sip debug kmod load module nf_conntrack_h323 Then as root-user via ssh execute the command conntrack -F run several times
Authentication
SSL VPN with OTP
If the OTP function is activated, the user must authenticate manually after one hour.- Cause
The user is also re-authenticated at this time.
If the OTP function is active, a current OTP must be transferred at this time.
- Solution
- Caution: If the renegotiation is increased, more data is encrypted with the same keys.
General Renegotiation
→ Edit SSL VPN Instance → Tab
Error message with AD connection
When integrating the UTM into a Microsoft Active Directory, the error message Failed to join domain: failed to set machine spn: Constraint violation is displayed.- Solution
The UTM can then be integrated into the Active Directory again.
No email addresses via LDAP query
Querying email addresses via LDAP does not work.- Solution
Update
Online update only delayed
Why does the UTM not receive the online update immediately after the update is released?- Answer
- Solution