https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/120390#M17062 <P>I know this is late, but as I recently ran across the issue after an upgrade I wanted to share what I found to fix my LDAPS issue.</P><P>&nbsp;</P><P>After upgrading to R80.40 from R80.10 I was no longer able to fetch the fingerprints from the LDAPS servers.&nbsp;</P><P>Looking in the logs, the connection attempt from the SMS to the remote LDAP servers was not being sent across the site-to-site VPN. Instead, it was being NAT'd out to the public IP address and attempting to reach the private IP address of the remote LDAP server.</P><P>It turns out, the LDAP service was hitting the implied rule for routing and never making it to the explicit rule to use the VPN connection. This is by design and can be changed using the SK and references below.</P><P>***** The change does not survive a major upgrade. *****</P><P>&nbsp;</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk26059&amp;partition=Advanced&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk26059&amp;partition=Advanced&amp;product=IPSec</A></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92281" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92281</A></P><P>&nbsp;</P> Fri, 04 Jun 2021 18:22:18 GMT Gabe_Flynn 2021-06-04T18:22:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/112235#M15564 <P>Dear Team ,</P><P>&nbsp;</P><P>WE have&nbsp; MGMT at HO location (VM) which we have recently upgraded from R80.30 to R81</P><P>&nbsp;</P><P>&nbsp;</P><P>And some branch location Security Gateways also we have upgraded To r81 from R80.30</P><P>&nbsp;</P><P>HUB and Spoke topology - Star VPN is working properly earlier and after R81 some time we are getting disconnection issue .</P><P>&nbsp;</P><P>Also I want to create User based Policy and want add user group in Access role for which i am getting error .</P><P>&nbsp;</P><P>&nbsp;I am enabling LDAPS and trying to fetch certificate but getting error</P><P>&nbsp;</P><P>"Faild to connect to LDAP server connection failed</P><P>&nbsp;</P><P>Traffic we can see from MGMT to Server till Branch Gateway after we are not getting traffic and in log -VPN encryption showing decryption not showing</P><P>&nbsp;</P><P>Please give us idea if anyone have same issue .</P><P>&nbsp;</P><P>Regards,</P><P>Harmesh Yadav</P><P>9978440755</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 06 Mar 2021 03:55:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/112235#M15564 Harmesh_Yadav 2021-03-06T03:55:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/112437#M15605 <P>Dear Team ,</P><P>&nbsp;</P><P>I am waiting for your reply it will be very helpful</P> Thu, 04 Mar 2021 05:10:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/112437#M15605 Harmesh_Yadav 2021-03-04T05:10:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/120390#M17062 <P>I know this is late, but as I recently ran across the issue after an upgrade I wanted to share what I found to fix my LDAPS issue.</P><P>&nbsp;</P><P>After upgrading to R80.40 from R80.10 I was no longer able to fetch the fingerprints from the LDAPS servers.&nbsp;</P><P>Looking in the logs, the connection attempt from the SMS to the remote LDAP servers was not being sent across the site-to-site VPN. Instead, it was being NAT'd out to the public IP address and attempting to reach the private IP address of the remote LDAP server.</P><P>It turns out, the LDAP service was hitting the implied rule for routing and never making it to the explicit rule to use the VPN connection. This is by design and can be changed using the SK and references below.</P><P>***** The change does not survive a major upgrade. *****</P><P>&nbsp;</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk26059&amp;partition=Advanced&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk26059&amp;partition=Advanced&amp;product=IPSec</A></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92281" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92281</A></P><P>&nbsp;</P> Fri, 04 Jun 2021 18:22:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/After-Upgrading-R81-LDAPS-communiction-stops-working/m-p/120390#M17062 Gabe_Flynn 2021-06-04T18:22:18Z