Switching Capsule client from HTTPS to IPSEC

Ruan_Kotze — Fri, 28 Feb 2025 08:41:24 GMT

Hi CheckMates,

Architecturally we have made a decision to move our Capsule clients from connecting via HTTPS to IPSEC to mitigate against potential future vulnerabilities.

What we are seeing is that as soon as we do that change, mobile clients stop communicating. They manage to log in successfully but nothing further apart from that.

The weird thing is I also see no drops from the clients OM IP, not through Smartconsole and not through a fw ctl zdebug either. On the clients I also see the encrypted packet count increasing, but not the decrypted.

The only activity I'm seeing is IKE NAT-T on udp 4500. I've double-checked that I've got no silent drops going on either.

Would really appreciate any ideas on where to start looking.

Thanks,
Ruan

Re: Switching Capsule client from HTTPS to IPSEC

PhoneBoy — Fri, 28 Feb 2025 16:52:31 GMT

Did you try deleting and re-adding the site after making this change?
Anything from the client logs?

Re: Switching Capsule client from HTTPS to IPSEC

Ruan_Kotze — Sun, 02 Mar 2025 08:49:29 GMT

Hi Dameon,

Yes we have re-created the site. We do have a case open with TAC so are providing them with the debugs.

Thanks,
Ruan

topic Re: Switching Capsule client from HTTPS to IPSEC in General Topics

Switching Capsule client from HTTPS to IPSEC

Re: Switching Capsule client from HTTPS to IPSEC

Re: Switching Capsule client from HTTPS to IPSEC