topic Re: VPN daemon timed out in Firewall and Security Management

VPN daemon timed out

GrassF — Tue, 25 Jan 2022 08:36:35 GMT

Hi,

one of our customer is having issue with vpn command. We are getting a Timed out

The Firewall is running on R81 Take: 44

Have you experienced such issue?

Thank you

Re: VPN daemon timed out

_Val_ — Thu, 27 Jan 2022 09:34:57 GMT

Take it with TAC

Re: VPN daemon timed out

the_rock — Thu, 27 Jan 2022 13:24:10 GMT

Just curious, are you having actual S2S vpn issues, or ONLY output of this command is the concern? I guess if vpnd is a problem, then TAC may suggest some debugs for it, for sure.

Re: VPN daemon timed out

GrassF — Fri, 28 Jan 2022 08:54:59 GMT

Correct, in case there is a vpn issue we'll not be able to debug. The firewall hast been updated to R81.10, however the issue has not been resolved. We've opened a TAC Case.

Re: VPN daemon timed out

Chris_Atkinson — Fri, 28 Jan 2022 10:06:19 GMT

Apologies it's not clear. Is the VPN blade activated on the gateway and a tunnel configured / established?

Re: VPN daemon timed out

GrassF — Fri, 28 Jan 2022 12:39:53 GMT

Correct, if not we would have got this output below (from another Gateway without VPN Blade enabled)

# vpn shell
This is not a VPN-1 enabled module

Re: VPN daemon timed out

the_rock — Fri, 28 Jan 2022 12:42:38 GMT

This is very interesting...I tried it yesterday in my lab with vpn blade on and I had same issue as you, but when I ran it on customer's environment with same R80.40 version, worked fine. Now, I tested in R81.10, but let me see if I can find R81 and try. Though, Im 99.99% sure this has absolutely nothing to do with the software version.

Re: VPN daemon timed out

GrassF — Fri, 28 Jan 2022 12:51:01 GMT

We have another customer running R80.40 and it's working fine. Would be interesting to have the result of your test.

Re: VPN daemon timed out

the_rock — Fri, 28 Jan 2022 13:06:55 GMT

Ok...got same thing in R81 as well. Let me do some testing later in my R81.10 lab, as I have latest HFA on it, so will see if I can figure it out, plus, VPN blade has been enabled on it for 2-3 months, at least.

Re: VPN daemon timed out

the_rock — Fri, 28 Jan 2022 14:21:10 GMT

I hate to say this, but I honestly got no clue why this happens. As @_Val_ suggested, open TAC case and have them investigate. I tried so many things in my lab to see if I can get it working (even disabled and re-enabled vpn blade as well), same thing. Tried running multiple options of that command, no luck, sorry brother : - (. Please let us know how it gets fixed, I would love to know.

Re: VPN daemon timed out

GrassF — Fri, 28 Jan 2022 14:34:13 GMT

Thank you for helping. The TAC case is ongoing. It seems like things have change on R81

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Topics-VPNSG/CLI/vpn-debug.htm?Highlight=vpn%20debug

Re: VPN daemon timed out

the_rock — Fri, 28 Jan 2022 19:27:44 GMT

Yes, but vpn debug steps should be same as before. As far as vpn shell command, that Im not positive, though when I tested In R80.xx flavors, options look the same.

Re: VPN daemon timed out

Timothy_Hall — Sat, 29 Jan 2022 14:39:06 GMT

As you observed @the_rock some things involving vpnd did change in R81.10. The vpnd process is very old and has a long list of responsibilities that were stuffed into it over the years which started to cause stability problems.

In R81.10 two responsibilities of vpnd were split off into two new daemons: iked and cccd. The former daemon handles IKE negotiations and the latter daemon cccd seems to be related to endpoint compliance. @GrassF it is possible that the vpn shell command you are trying to run has not been updated to reflect this change thus the timeouts, disabling the new iked process with vpn iked disable might fix your timeout issue but I'd advise against trying that, as it is not documented and may cause an outage. Please post the output of these two commands:

vpn iked status

vpn cccd status

Re: VPN daemon timed out

GrassF — Fri, 04 Feb 2022 12:55:56 GMT

# vpn iked status
vpn: 'iked' is enabled.
vpn: The 'iked' process is currently running.

# vpn cccd status
vpn: 'cccd' is disabled.
vpn: The 'cccd' process is currently not running.

# fw ctl get int ike_in_separate_daemon
ike_in_separate_daemon = 1

Re: VPN daemon timed out

_Val_ — Sat, 01 Jun 2024 13:31:32 GMT

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.