topic Re: Connection failed: Negotation with site failed in SASE and Remote Access

Connection failed: Negotation with site failed

Jeffgo — Sun, 11 Sep 2022 07:51:17 GMT

Dear

My version: R81.10,hotfix is T66

I configure the gateway as a vpn gateway,and the vpnn gateway location internal network,i mapping it by internet firewall.GW VPN port is 10443 on the visitor mode.

I test it,i can successfull connect to vpn on internal network.but i can not connect to vpn on internet.the connected informations as fowwowing:

Re: Connection failed: Negotation with site failed

_Val_ — Tue, 13 Sep 2022 09:47:25 GMT

There can be tons of reasons for that, you need to see the logs both from the FW and the client for more details.

Re: Connection failed: Negotation with site failed

Jeffgo — Sat, 17 Sep 2022 14:51:44 GMT

Internal pc connect to vpn working well,but i map the vpn gw to internet with PAT,client can not working,I think this is checkpoint issue,

if need to see the gw logs,how to see the gw logs,thanks!

Re: Connection failed: Negotation with site failed

PhoneBoy — Sun, 18 Sep 2022 03:18:05 GMT

Is some other device doing the NAT?
This probably won't work if so...

Re: Connection failed: Negotation with site failed

Blason_R — Sun, 18 Sep 2022 05:04:49 GMT

This is SecureRemote - Have you tried enabling vpn debug and collect logs from client side? That should show the reason. Plus what is the VPN link selection IP address specified?

Re: Connection failed: Negotation with site failed

Jeffgo — Mon, 19 Sep 2022 16:34:23 GMT

@PhoneBoy

Thanks!

The topology:

internet-----CP 1550 fw------R81.10 virtual fw

cp-1550 is the edge firewall, R81.10 virtual fw is the internal vpn gw and is mapped with cp-1550 firewall

You said that this probably won't work,why?

Re: Connection failed: Negotation with site failed

the_rock — Mon, 19 Sep 2022 17:43:36 GMT

The guys definitely brought up all the good reasons. Enable debugs and also collect client logs. But, before all that, make sure all the office mode settings are correct on the gateway.

Re: Connection failed: Negotation with site failed

Blason_R — Mon, 19 Sep 2022 18:16:46 GMT

I guess this might not work since the tunnel_test packet I believe might not be able to route back since its SecureRemote. Since firewall gives a fake IP address and here I believe firewall is behind nat device it would not know where to route the tunnel_test packet.

Re: Connection failed: Negotation with site failed

the_rock — Mon, 19 Sep 2022 18:39:03 GMT

Good point actually, I did not realize from that screen if was secureremote...

Re: Connection failed: Negotation with site failed

PhoneBoy — Mon, 19 Sep 2022 23:22:07 GMT

What is the precise NAT configuration on the 1550?
Or if that device isn't doing the NAT, what is and what is its precise configuration?

What is the configuration on the R81.10 system with respect to Remote Access?
Did you configure Link Selection and the Visitor Mode port?
I'm fairly certain you cannot "PAT" the Visitor Mode port to a different port (e.g from 10443 to 443) because of how the client stores/validates this information.
If you set the Link Selection on the R81.10 gateway and the Visitor Mode port used to match what your clients actually connects to initially (which means Link Selection IP of 58.33109.55 and Visitor Mode port of 10443), it might work.
Without doing that, I would not expect it to work.

Re: Connection failed: Negotation with site failed

Jeffgo — Tue, 20 Sep 2022 01:25:48 GMT

R81.10 vpn gw visitor mode port is 2443(I have modify the port from 10443 to 2443) and the 1550 map from 2443 to 2443.

Link selection ,i set the value "statically NATed IP:58.33109.55"

Re: Connection failed: Negotation with site failed

the_rock — Tue, 20 Sep 2022 11:40:39 GMT

Would you mind attach screenshots of how this is configured? I think it would help us help you solve this. By the way, did it ever work or its brand new config?

Andy

Re: Connection failed: Negotation with site failed

Jeffgo — Thu, 22 Sep 2022 09:20:31 GMT

This is new config and the configure as following:

Enable IPsec VPN

Enabled NATt by default

The visitor mode port is tcp2443

The belowing is the RemoteAccess community configuration

Re: Connection failed: Negotation with site failed

Jeffgo — Thu, 22 Sep 2022 09:33:14 GMT

The attachment file is the endpoint trac.log,i can not found any available error or alerts

Re: Connection failed: Negotation with site failed

PhoneBoy — Thu, 22 Sep 2022 16:04:20 GMT

Are you also port forwarding the NAT-T port (4500)?
Because that's where it looks like it is failing, if I'm understanding these debug logs correctly.

Re: Connection failed: Negotation with site failed

Jeffgo — Thu, 22 Sep 2022 17:29:56 GMT

Yes,i also map the NAT-T port,but still can not connect successfull.

we can connect successfull when i disable the securexl both cp-1550 and R81.10.

Re: Connection failed: Negotation with site failed

the_rock — Thu, 22 Sep 2022 17:34:50 GMT

You may wish to contact TAC and have them give you right flags to debug securexl or refer to below:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk31404&partition=Expert&product=SecureXL

Re: Connection failed: Negotation with site failed

PhoneBoy — Thu, 22 Sep 2022 17:48:20 GMT

If disabling SecureXL "solves" a problem, contact TAC.