|Applies To||Address Translation|
Check Point Firewall-1
|Issue||Error: "Signature Violation: MAC" in the Event Viewer Log (Windows NT) or System Log (UNIX) on the Firewall Host|
|Cause||ACE/Server uses a MAC signature to verify the identity of the client. One element of the MAC Signature uses the source port and IP address to uniquely identify the authentication request. Because address translation translates port numbers as well as IP addresses, even if the client has a static translated address the authentication may fail.|
|Resolution||The firewall may have a "tunneling" mode where ACE authentication traffic can go through with the port left intact and the ip address unchanged or in a static translation mode. If that is not feasible, you can generate an ACE/Server configuration record (sdconf.rec) to use on that client with a protocol version that predates the MAC identifier enhancement. Note: this will reduce security as the MAC signature helps to verify the identity of the client.|
Obtain a copy of the "2.2 sdconf.rec Utility" from RSA Tech Support. The syntax of the command is:
sdconf22 sdconf.rec sdconf.new 6.
The arguments to the command are source sdconf.rec, new sdconf.rec, version number to add to the sdconf.rec file (version 6 is the version prior to adding the MAC Signature).
The updated file is only needed on the firewall which is doing the address translation, all other clients and the server can continue to use the unaltered sdconf.rec.
|Legacy Article ID||a34041|