topic Re: Problem of connection of users to the VPN in General Topics

Problem of connection of users to the VPN

Matlu — Wed, 23 Aug 2023 15:32:45 GMT

Hello, everyone.

We currently have a connection problem for users trying to connect via VPN to the GW (Using Endpoint Security).

Initially, everything was working fine with the AD Query method (We have Mobile Access and IA blades enabled).

Now, since we migrated the way AD users work, from AD Query to IDC, we are having problems with a lot of users not being able to connect to the VPN.

We have checked that in the IDC, if there is an association between an IP + User.

But it seems that this information stays in the IDC, and does not send it to the Firewall.

Since when we consult for certain user that is seen in the IDC, it does not appear in the "pdp" commands that we apply in the GW.

We have made connection tests, with local GW accounts, and everything works fine.

Any opinion and/or similar experience you can share?

Regards.

Re: Problem of connection of users to the VPN

the_rock — Wed, 23 Aug 2023 15:42:12 GMT

Never had an issue like that before. Question...I assume you are using access roles? If you do pdp monitor user command, do you even see anything?

Andy

Re: Problem of connection of users to the VPN

Matlu — Wed, 23 Aug 2023 15:47:31 GMT

Yes, we are working the rules with Access Role.

In the SMS logs, the message "Unknown User" appears.

The strange thing is that the users are seen in the IDC (IP+User Association).

But in the GW Cluster, the user is not seen when searching with the command "pdp ...".

So, because of this, remote users cannot connect.

This happened after migrating from AD Query to IDC.

Re: Problem of connection of users to the VPN

Matlu — Wed, 23 Aug 2023 15:50:00 GMT

This is the evidence, from what I see with the "pdp" command in the GW.

The user does not appear in the GW.

But this same user does appear in the IDC.

Re: Problem of connection of users to the VPN

the_rock — Wed, 23 Aug 2023 15:50:06 GMT

Make sure LDAP account unit is still there, as thats needed to pull the groups from AD properly, as @PhoneBoy mentioned in another post.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector/m-p/190000/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMTDBKVTRTTUc3V1NIfDE5MDAwMHxTVUJTQ1JJUFRJT05TfGhL#M35047

Re: Problem of connection of users to the VPN

Matlu — Wed, 23 Aug 2023 16:14:28 GMT

The account that was used to hook the IDC to the AD still exists.

Is there a way to reboot, do a sniffer or capture, that will help us to know why the AD users do not arrive to the GW, but they do arrive to the IDC?

😕

Re: Problem of connection of users to the VPN

the_rock — Wed, 23 Aug 2023 16:31:39 GMT

Reboot wont do anything for this sort of issue. Can you still see same LDAP account unit? Are there any logs for the tested user in smart console? You can do IA debugs TAC gave me while back, hope they give some clues.

Andy

Re: Problem of connection of users to the VPN

Matlu — Wed, 23 Aug 2023 23:05:47 GMT

To test with these TAC debug commands, you would have to test punctually, with a user that is affected with his VPN connection, correct?

Is there a way to "delete" his session, in the IDC, to be able to apply the process from 0, with a punctual user?

Re: Problem of connection of users to the VPN

the_rock — Wed, 23 Aug 2023 23:19:04 GMT

Thats right. Im not aware if way to debug IC, as its not a process.

Re: Problem of connection of users to the VPN

PhoneBoy — Thu, 24 Aug 2023 21:55:14 GMT

It's not in Identity Collector that you need to delete the user, but in PDP on the relevant gateway.
The identities that relate to a given IP address can be revoked using the CLI command: pdp control revoke x.y.z.w
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide/Topics-IDAG/CLI/pdp-control.htm?tocpath=Command%20Line%20Reference%7Cpdp%7C_____6

Re: Problem of connection of users to the VPN

the_rock — Thu, 24 Aug 2023 22:59:14 GMT

Did you make any progress on this bro? Also, maybe try pdp update all command to see if any difference.

Andy

Re: Problem of connection of users to the VPN

Matlu — Fri, 25 Aug 2023 01:02:05 GMT

Hello,

The problem is that users are not "seen" in the GW.

For example:

User: Pepito
IP: 10.10.10.10

This association is seen in the IDC, but in the GW, it is not "seen", that's why I think, that applying the command you suggest, would not help me in this case.

It seems that the relationship between the IDC and the GW is not working well.

Re: Problem of connection of users to the VPN

the_rock — Fri, 25 Aug 2023 01:48:31 GMT

If you do pdp monitor ip and then user IP, you dont see anything?

Re: Problem of connection of users to the VPN

Matlu — Fri, 25 Aug 2023 03:15:06 GMT

Buddy,

In the GW you do not see the users who have already registered in the IDC.

At the top of this post, I pasted some images of a user.
This user in the IDC, if his IP+User relationship appears, but when you query for this user in the GW, it simply does not see it.

😕

Re: Problem of connection of users to the VPN

the_rock — Fri, 25 Aug 2023 10:16:46 GMT

Maybe try restart IC and see what happens.

Re: Problem of connection of users to the VPN

Matlu — Fri, 25 Aug 2023 12:18:29 GMT

We are still reviewing this atypical case.

How do you reset the IDC?

I'm going to try the last command you recommended, let's see how it goes.

😉

Re: Problem of connection of users to the VPN

the_rock — Fri, 25 Aug 2023 12:25:55 GMT

You dont : - ). You either restart it from task manager or simply reboot computer software is installed on.

Andy