Troubleshooting guide
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — server side tables
Advanced Technical Reference Guide 4.1 • June 2000 160
Used by SecuRemote Client: No
Used by FW daemon: Yes
Keys: <user ip, rule number>
Values: 0 or 1 (intersect with user database or not)
Timeout: 900 sec.
Comments: Client encrypt rules check this table to see if the connection belongs to
SecuRemote clients.
userc_encapsulating_clients table
If in the negotiation phase it was concluded that certain host connections are to be encapsulated, the host IP
address and the encapsulating server IP address are inserted into the userc_encapsulating_clients table. This is
done after the negotiation for the encryption is over.
Example
attributes: refresh, keep, expires 4000
<c0a81e05; c7cb4760; 3998/4000>
The userc_encapsulating_clients table uses the following format:
<client IP address; gateway’s IP address; time left/total time>
Used by SecuRemote Client: No.
Used by FW daemon: Yes
Keys: <user_ip>
Values: <gwip>
Timeout: 4000 sec.
Comments: Used by the firewall kernel when deciding whether to encapsulate packets
destined to a user. Note that decryption is done based on the IP protocol.
userc_dont_trap table
When a packet has a destination IP address which is not in the encryption domain, that IP address is added into
the userc_dont_trap table so that further communication to that IP address will not be trapped again (for
optimization).
Example
attributes: expires 10
<c7cb473e; 00000000; 3/10>
The userc_dont_trap table uses the following format:
<client’s IP address; (0 or 1); time left/total time>