topic Re: Sometimes error "negotiation with site failed" in Endpoint

Sometimes error "negotiation with site failed"

Networking-TNL — Mon, 18 Jul 2022 11:18:59 GMT

Hello All,

I'm currently configuring a new cluster with a new mgmt-server only for VPN.

i've build on a VSX-cluster 2 VS's, one test and one production VS.

VS3, I've build the test vs, with smartcard authentication which connects to our external AD. machine/user are handled by our external domain and the smartcard authentication is as well handled on this external domain, this solution works properly.

VS4, I've build the production VS, which the machine/user connects to our internal domain and the MFA is handled by Radius against the external AD.

on this VS i have the issue when i'm trying to logon that I'll get the error "Negotiation with site failed". I don't get it always, the other attempts are working well, let's say it fails 1 out of 3 attempts. Smartlog says the user does not belong to the remote community.

The AD LDAP account unit of both domains are identical in the management server and in the Remote Access community in the participant user groups i have added a user group based on a security group.

Does anybody have an idea what could go wrong?

Re: Sometimes error "negotiation with site failed"

_Val_ — Mon, 18 Jul 2022 11:59:53 GMT

Intermittent connectivity issues with LDAP maybe? Do you have multiple servers defined in a single LDAP account unit object?

Re: Sometimes error "negotiation with site failed"

Networking-TNL — Tue, 19 Jul 2022 08:49:45 GMT

Tried both, started with ldap account unit with three AD-servers and changed it later to one and also switcht from one to another one, but still the same issues unfortunately.

Re: Sometimes error "negotiation with site failed"

the_rock — Tue, 19 Jul 2022 13:06:13 GMT

Are you able to do say fw ctl zdebug + drop | grep username command (just replace username with actual user itself). Not sure this may give us more info, but worth a try.

Re: Sometimes error "negotiation with site failed"

Networking-TNL — Tue, 19 Jul 2022 13:18:40 GMT

nope doesn't give any results.

Re: Sometimes error "negotiation with site failed"

Networking-TNL — Wed, 20 Jul 2022 10:42:21 GMT

i'll found in the VPND.elg that when the authentication fails, the checkpoint did only LDAP-requests to our external domain controllers instead of the internal domain.

When i try to remove the specific participant groups in de remote access community and change it to "all rules" it works properly.

But it is strangely working properly on the office mode assigned group (this is exact the same group as a configured in the participant user groups).

How is it possible that, checkpoint does the request to the wrong AD?

Re: Sometimes error "negotiation with site failed"

Networking-TNL — Wed, 27 Jul 2022 12:16:24 GMT

This topic can be closed, solved this issue by configuring specifically the proper active directory under the VS > other > user directory and configure the proper AD.

Re: Sometimes error "negotiation with site failed"

_Val_ — Wed, 27 Jul 2022 13:22:08 GMT

Great to hear