topic Re: Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding in SASE and Remote Access

Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding

Homer — Tue, 30 Jan 2024 15:50:28 GMT

Hello all!

my first post I've ever made here, with an error that's driving me crazy!

Endpoint Security Client: E87.60 Build 986105018
Checkpoint 6200P Cluster: R81.10 take 335

I've been trying to secure our VPN connection with MFA for a year with Endpoint Security Client and Entra ID . However, I cannot switch authentication for all users, because there is an onnoying problem with the new identity provider (Microsoft Entra ID).

I already had tickets open regarding that topic, that had been passed on to the escalation engineer. Unfortunately, no solution was provided after gathering a lot of logs over months. The engineer was very rude and kept asking for new logs without providing a solution.

I would like to hear your opinion and at the same time ask if you know the problem?

Explanation:

- Microsoft Entra ID is used as an identity provider.
See link: https://learn.microsoft.com/de-de/entra/identity/saas-apps/check-point-remote-access-vpn-tutorial
- Multifactor authentication is required when establishing a connection. -> Everything fine.

But after a few hours the VPN connection no longer works

Helpdesk.log from Endpoint Security Client (Advanced Logging)

[21 Feb 17:04:03] No reply from the gw ip=X.X.X.X for tunnel test packet. Office Mode IP=A.A.A.A, source port=18009.
[21 Feb 17:04:05] No reply from the gw ip=X.X.X.X for tunnel test packet. Office Mode IP=A.A.A.A, source port=18010.
[21 Feb 17:04:08] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[21 Feb 17:04:08] Client state is connected
[21 Feb 17:04:08] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[21 Feb 17:04:18] IKE connection failed, error code=-1000. Reason: Site is not responding.
[21 Feb 17:04:18] Client state is reconnecting
[21 Feb 17:04:18] Reconnect failed. trying again (2)

......
[21 Feb 17:06:17] Client state is reconnecting
[21 Feb 17:06:17] State reconnecting. Roaming timeout is reached, cancelling connection (2)

Site is not responding --> There is no vpn error with user/password authentication at the same time for hundreds of users.

It looks like there is an error with vpn phase 1 or 2, by using Entra ID.

The problem can be solved for a few hours by reestablishing the VPN connection.

The time, in which the connection works fine without problems can be influenced by changing the DHCP lease time.

- If the DHCP Lease Time is 60 minutes, the problem occurs several times a day. (4-5 times in 8 hours with vpn connection)
- If the DHCP Lease Time is 960 minutes, the error only occurs once every 2-3 days.

Automatic DHCP lease: the DHCP Lease time is configured to the same value on our DHCP Server. -> Same error

Manual (using IP pool): Using CP as DHCP Server--> Same error with manual IP Pool.

Global properties -> Remote Access --> Endpoint Connect

Re-authenticate user every is set to 720 minutes according Checkpoint recommendation.

Question:

Does anyone have the same problem or any advice?

Re: Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding

Joe_Torrentes_A — Wed, 14 Aug 2024 23:47:13 GMT

HI Homer

Did you ever got a root cause and solution for this issue?

Re: Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding

Homer — Thu, 15 Aug 2024 10:28:24 GMT

Hello Joe!

Unfortunately, since July of this year, the problem has resolved itself without any verifiable changes being made.

So I cannot provide a solution and at the same time I still have the bad feeling of putting the authentication method into production.

Together with Checkpoint R&D, we have made many changes and collected hundreds of logs without finding the error.

Have you got the same issue?

Which configuration settings have you already checked?

Greetings
Julian

Re: Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding

the_rock — Thu, 15 Aug 2024 12:44:34 GMT

Ironically enough, I currently have a case with AWESOME TAC guy from Dallas that I worked with many times and he actually asked me to send cpinfos from gw and mgmt, so can try replicate in their lab. I find it a bit strange what happens is that now first connection works, but then if you disconnect and try reconnect, it NEVER works.

For what its worth @Joe_Torrentes_A , we made changes from sk32229 and it did help, but still same behavior.

Once I have more details and do more testing, will update. All I can tell you at this time is that site resolves to right IP, IDP shows connected, first time connection works, but when you do route print on the client, correct subnet is NOT listed there, so thats also another issue. We both found that part odd, since we all know when it comes to RA vpn, whatever you put in RA vpn domain, clients should see that when you run route print, but that part is failing.

Anywho, since we all share solution once we have it (in the spirit) of the community, I will certainly do so as well.

This was document we followed btw:

Tutorial: Microsoft Entra single sign-on (SSO) integration with Check Point Remote Secure Access VPN - Microsoft Entra ID | Microsoft Learn

Also went through this too, but did not help.

https://support.checkpoint.com/results/sk/sk44075

Last, but not least, this sk was not really relevant, since client is on R81.20 jumbo 65

https://support.checkpoint.com/results/sk/sk172909

Best,

Andy

Re: Endpoint Security - Entra ID Auth - No reply from the gw / Site is not responding

Homer — Fri, 16 Aug 2024 08:36:31 GMT

Hey Andy,

it looks like you have als an annoying issue...

Thank you for your advice! Entra SSO Integration Tutorial is well known to me, I have checked the settings several times...

What I noticed is that the configuration instructions have changed frequently in the last few months and each update results in different configuration settings on CP GW and Entra ID

Using Azure AD for Authorization (checkpoint.com)

What does the client's helpdesk.log from trlogsXXX.cab say?
Is all traffic forwarded to CP GW or only RA VPN Domain?