topic Re: Troubleshooting Mobile Access SSL VPN in SASE and Remote Access

Troubleshooting Mobile Access SSL VPN

T0r_Lak — Tue, 30 Jan 2024 09:30:32 GMT

Hi all!

I'm having a difficult time finding appropriate troubleshooting resources for SSL VPN connectivity our clients are having when connecting via their browser on the Mobile Access Blade, configured via SmartDashboard.

The issues is: mostly external but sometimes internal workers on Windows, Mac or Linux are having issues fetching their access policies, i.e. there's no packet logged indicating what resources they should have access to, which normally appears there.

I've checked:

their AD group membership
the SNX version
the Java version
they get connected on the web portal fine
the web browser version

How do I even "debug" this, can conventional methods be used, such as "tcpdump, zdebug + drop, fw monitor, vpn debug" be used?

Also, which file logs the SSL VPN user activity - vpnd.elg? Couldn't find anything in that file for the specific users in question...

Any advise would be much appreciated regarding this beast.

Thank you!

Re: Troubleshooting Mobile Access SSL VPN

G_W_Albrecht — Tue, 30 Jan 2024 11:10:50 GMT

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/Troubleshooting.htm

https://support.checkpoint.com/results/sk/sk104577

Re: Troubleshooting Mobile Access SSL VPN

T0r_Lak — Tue, 30 Jan 2024 13:13:36 GMT

sk104577 provided some very useful insights and more advanced troubleshooting methods, as opposed what I already knew.

Thank you so much for your reply! Much appreciated!

FYI - Unfortunately when trying to access:

Mobile Access R81.20 Administration Guide > Troubleshooting Mobile Access > Troubleshooting Web Connectivity > "see sk31636", it leads to yet another "Deleted This SK no longer exists".

Re: Troubleshooting Mobile Access SSL VPN

Sergei_Shir — Mon, 16 Dec 2024 12:37:01 GMT

This SK article is now available again:

https://support.checkpoint.com/results/sk/sk31636

Re: Troubleshooting Mobile Access SSL VPN

G_W_Albrecht — Tue, 17 Dec 2024 09:45:10 GMT

You can give my post a Kudo if it prooved usefull to you 😉

Re: Troubleshooting Mobile Access SSL VPN

HeikoAnkenbrand — Sat, 21 Dec 2024 19:58:37 GMT

To debug Mobile Access SSL VPN issues in Check Point, you can follow these steps:

Debugging the Gateway Side:

httpd Process:
- Backup the current configuration file:
  [Expert@HostName:0]# cp -v $CVPNDIR/conf/httpd.conf $CVPNDIR/conf/httpd.conf_ORIGINAL

Edit the configuration to change the log level:
[Expert@HostName:0]# vi $CVPNDIR/conf/httpd.conf
Change "LogLevel" from "emerg" to "debug".
Enable trace log collection for a specific user:
[Expert@HostName:0]# cvpnd_admin debug trace users=<USERNAME>
cvpnd Process:
1) Start the debug:
[Expert@HostName:0]# cvpnd_admin debug set TDERROR_ALL_ALL=5
2) Stop the debug:
[Expert@HostName:0]# cvpnd_admin debug off
vpnd Process:
1) Start the debug for SNX or other clients:
[Expert@HostName:0]# vpn debug on ALL_ALL=5
2) Stop the debug:
[Expert@HostName:0]# vpn debug off
Check SSL Handshake:
- Use Wireshark to verify SSL handshake by looking for "client_hello" and "server_hello" messages.
- If there are SSL issues, collect kernel debug:
  [Expert@HostName:0]# fw ctl zdebug -m fw + drop crypt cptls
Verify SSLVPN Portal:
- Ensure the SSLVPN portal is running:
  [Expert@HostName:0]# mpclient status sslvpn
Log Analysis:
- Check the logs for errors:
  - $CVPNDIR/log/httpd.log
  - $CVPNDIR/log/cvpnd.elg
Additional Resources for more detailed procedures:
- ATRG: Mobile Access Blade
- How to Debug Mobile Access Web Applications.