topic Re: All Remote User use Visitor Mode ( Endpoint Connect VPN ) in SASE and Remote Access

All Remote User use Visitor Mode ( Endpoint Connect VPN )

Supporto_Checkp — Wed, 13 May 2020 06:23:40 GMT

Hi
i've a question related to the use of visitor mode

we have a VS r80.30 installed on a 5900 appliance that manage vpn access for our users ( other than another VS )

we have enabled both ipsec and mobile blade, so "visitor mode" is enabled by default and cannot be removed.

Most of the users use "Endpoint Connect VPN" as a client.

with "vpn show_tcpt" , "vpn tu tlist" and using the "one liner" in previous message I see that most of them use visitor mode.

With 100 users is ok, With 340 it's a crap because is managed in "user area".

We contacted Checkpoint but it was useless.
They said the at first all the client try to use nat-t and THEN 443 and visitor mode.
But capturing traffic on both the client ( many clients indeed ) and the firewall we have evidence that Endpoint Connect VPN don't use NAT-T but goes directy with 443.

This is a fresh check of our users
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 181 (Peak: 181)
Capsule/Endpoint VPN Users : 179 (Peak: 179) using Visitor Mode: 177
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 4)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 8)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 45000
Endpoint Connect Users :
Mobile Access Users : Unlimited
SNX Users :

Can the behaviour written above be cause by our licences? ( Endpoint Connect Users : "" )

Too many visitor mode users cause really BAD performance,i'm talking about 800ms for a ping response, using Web Portal or the SSL Extender solve the problem but the customer don't want to use this solution.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

_Val_ — Wed, 13 May 2020 07:23:49 GMT

Quoting from sk105119

Visitor mode

Visitor Mode is supported by the legacy SecureClient and by Endpoint Connect (Endpoint Security) Client.

Each packet in Visitor Mode is processed in user space, which causes a load on CPU on Security Gateway (only several hundred Visitor Mode clients can be handled by the Security Gateway).
In SecureClient, if enabled by the user, Visitor Mode is never automatically turned off. It is recommended that users only enable Visitor Mode when essential (typical to Airport and Hotel Wi-Fi spots), and disable it afterwards.

You can disable Mobile Access. hence forcing Endpoint Clients to use IPsec.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

Supporto_Checkp — Wed, 13 May 2020 07:36:57 GMT

we cannot disable mobile access because we have users that use it.

Also the same client ( I mean example PC and SAME version of endpoint connect )
use 443 for auth and 4500 for traffic on a physical cluster configured in the same way
BUT use visitor mode on this vsx.
We don't USE SecureClient.
We use Endpoint Connect VPN as Client or SSL Extender
and with "same configuraion" i really mean that are the same.
Each global properites,each license,each gateway setting related to vpn

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

_Val_ — Wed, 13 May 2020 07:58:54 GMT

Basically, you are saying the following:

You have identical VPN config for both VSX and physical environment
Same Endpoint clients use ports 4500 & 443 to connect to physical, while using only 443 when connecting to a VS.

This does not make a lot of sense, to be honest. How did you check? Any traces on the client side?

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

Supporto_Checkp — Wed, 13 May 2020 09:29:25 GMT

problem solved.
On the vsx cluster there was a setting changed in database , not GUI or SmartConsole ( i don't know if was a default on older version ,this DB was born with 77 or older or someone changed it )
and the transport mode was set to "Visitor Mode"
i've changed it to "Auto Detect" and now .. NAT-T! (That surely is the default on newer DB version )

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

Supporto_Checkp — Wed, 13 May 2020 09:28:48 GMT

i've found the solution comparing two debug of the same client after a connection to both sites.

on VSX I had

[ 2696 4196][13 May 10:36:11][CONFIG_MANAGER] transport return value Visitor-Mode, because it is Gateway config variable. Scope: site "sitename"

[ 2696 4196][13 May 10:36:11][TR_CONN_MANAGER] ConnGetInfo: vpn conn data:
(
    :gw-ipaddr (x.x.x.x)
    :vpnd_ipaddr (x.x.x.x)
    :authentication-method (username-password)
    :is_saa (false)
    :transport (Visitor-Mode)

On Physical I had
[ 2696 4196][13 May 10:36:11][CONFIG_MANAGER] transport return value Automatic ( or auto detect , i dont' have them anymore here with me ) , because it is Gateway config variable. Scope: site "sitename"

    :gw-ipaddr (x.x.x.x)
    :vpnd_ipaddr (x.x.x.x)
    :authentication-method (username-password)
    :is_saa (false)
    :transport (Auto-Detect)

i've looked both the DB with DBGUIEDIT for some value with "auto-detect" or "visitor-mode" ...and solved 😄

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

_Val_ — Wed, 13 May 2020 09:50:34 GMT

Correct, this is exactly the way described in sk10743. I can only guess why your VSX did not have the default method set up. It is usually the other way around, forcing Visitor Mode, if NAT-T port is closed

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

Supporto_Checkp — Wed, 13 May 2020 10:02:48 GMT

I don't know why, to be honest.
I didn't follow the startup of this customer many years ago.
Maybe the default setting was different on R77 ? or someone changed it for any (wrong) reason ( or maybe the old ISP didn't allow NAT-T port ) before we managed the customer
Pre-Covid19 this wasn't a problem with 100/120 user so nobody had issues.

Problem is solved but I think that an option like this should be on GUI ,and not only on DBGUIEDIT.... like many other interesting option

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

G_W_Albrecht — Wed, 29 Jul 2020 10:27:59 GMT

It is sk107433: How to change transport method with Endpoint Clients 8)

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

frankcar — Thu, 26 Aug 2021 13:42:25 GMT

Did you resolve this ? we had the same issue and turned out to be the firewall objects ip we was using was not the one which was published for our vpn user to connect, so what it was doing was hitting another external IP we have on our cluster and using visitor mode always we had to change link selection in our issue to be the external ip users was resovling our VPN host to and now all we get is NAT-T users and a few vistor mode.

CPView shows what they are connected with.

check your ip you resolve for vpn is the one that matches the link selection IP.

vistor mode has a massive impact on 700 users or more from what I remember we was fine to around 650 after that we saw issue 15600 cluster R80.20

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

CheckPointerXL — Wed, 02 Aug 2023 12:19:01 GMT

Hi all,

Is this dangerous behavoir still on going? According to https://support.checkpoint.com/results/sk/sk168297 it should be fixed

Is this true also for VSX ?

@_Val_

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

frankcar — Wed, 02 Aug 2023 12:40:14 GMT

I can't tell you about VSX, we dont use checkpoint vpn they went down the zcrawler zscaler route.

articles says its fixed, vistor mode in user space was the issue if in kernel should be fine then i guess still slow compared to NAT-T

Check Point has developed a new fix to handle Visitor Mode connections in the kernel on the Security Gateway.

Frank

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

CheckPointerXL — Wed, 02 Aug 2023 12:38:22 GMT

i think your clients are tring to connect to something different from your link selection setting

the solution is here https://support.checkpoint.com/results/sk/sk32229

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

frankcar — Wed, 02 Aug 2023 12:43:57 GMT

the chaps packages our client up in applications using the wrong external IP was our issue to, so link selection changed that for the endpoint and forced it to use the main ip, probably the article you mention may have done same thing for us, we dont use Checkpoint vpn client anymore shame was 100x better than zscaler performance wise.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

_Val_ — Wed, 02 Aug 2023 12:51:28 GMT

VSX or not, Visitor mode is still the same and handled by vpnd. However, since R80.40, there is a performance enhancement, mentioned in that SK.

What do you call "This dangerous behavior", not sure I follow

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

frankcar — Wed, 02 Aug 2023 12:59:04 GMT

This dangerous behavior ? i didn't mention that anywhere i just searched

we had performance issue in user space if its fixed it fixed.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

CheckPointerXL — Wed, 02 Aug 2023 13:02:21 GMT

"dangerous behavior" I mean the high load overall on the system if large numers of visitor mode are connected

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

frankcar — Wed, 02 Aug 2023 13:20:25 GMT

the only high load i had was manager calling me for it to be fixed because users was struggling to download word documents when we had over 700 on visitor mode but that was in user space, if they moved to kernel must have been resolved as they say.

the vpn core was maxed out too i think from memory

NAT-T is faster than https visitor mode we found, i am not sure if visitor mode is capable of doing the same speeds as NAT-T.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

_Val_ — Wed, 02 Aug 2023 14:18:48 GMT

Visitor mode is not accelerated and treated in the User Mode by a process. By definition, it is not the most performant RAS VPn solution. For a large deployment, I would recommend the classic IPsec based VPN.

Re: All Remote User use Visitor Mode ( Endpoint Connect VPN )

CheckPointerXL — Wed, 02 Aug 2023 14:20:28 GMT

according to sk168297 this is no longer true