topic Re: EndPoint VPN Error Following Upgrade in SASE and Remote Access

EndPoint VPN Error Following Upgrade

superd — Fri, 10 Jun 2022 13:05:58 GMT

Hi all,

Ive upgraded one of our FWs from r80.10 -> r80.40, and now I am recieving the below error for endpoint VPN connections.

"You are not authorized to recieve and office mode IP address"

The only untoward message I can find in vpn.elg debug is below - but possibly a red herring, not certain.

[vpnd 5997 4126250688]@CPFW-R77.20[10 June 13:40:22] check_uint_attribute_value: failed to get attribute [sr_info_auth_grps_fetched] from userobject
[vpnd 5997 4126250688]@CPFW-R77.20[10 June 13:40:22] check_uint_attribute_value: read attribute [sr_info_auth_grps_fetched] on user object, value is 0

The above error is mentioned in SK115352 >> however, user has NOT got multiple accounts internal and ldap, so I dont believe its a valid fix here.

SmartLog shows the authentication as successfull, but without any further entries.

The other GW is still on r80.10, and working fine with the same policy. Im not sure if that may have some impact here with differing versions.

Also, the clients use a certificate to authenticate. Im wondering has something changed with .10 and .40 in terms of certificates. The certificate is self signed.

Any thoughts much appreciated.

Re: EndPoint VPN Error Following Upgrade

the_rock — Fri, 10 Jun 2022 12:29:00 GMT

Hm, thats indeed a bit strange. So that message clearly would indicate that it believes that user is not authorized to get the OM IP address, though it does show its authenticated, so to me at least, would tell me that cert auth part is fine. Can you confirm that maybe office mode settings did not change on that firewall?

Andy

Re: EndPoint VPN Error Following Upgrade

superd — Fri, 10 Jun 2022 12:38:47 GMT

Hi, no changes to office mode.

Ive updated the thread with the following errors / messages found in vpn.elg:

Re: EndPoint VPN Error Following Upgrade

the_rock — Fri, 10 Jun 2022 13:08:49 GMT

The only thing I found with those errors is below link, but not so sure it applies : (. Maybe worth TAC case, as that sounds like a pretty serious problem. Never mind, I see its same sk you mentioned as well...Just as a test, to be 100% sure, can you attempt user/pass method to see if that works?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115352&t=1535673600030

Re: EndPoint VPN Error Following Upgrade

PhoneBoy — Fri, 10 Jun 2022 15:53:30 GMT

That message indicates a license issue.
With cplic print from the relevant gateway, we can confirm if you have the correct license that allows for Office Mode.
If you have the correct license and the upgrade causes it to break, it's probably a bug and a TAC case will be necessary.

Re: EndPoint VPN Error Following Upgrade

superd — Fri, 10 Jun 2022 15:55:30 GMT

Thanks - I thought so too. But licensing looks ok. Ive also dropped an eval on it, just to be sure, with no effect. Ive a call open with TAC.

Re: EndPoint VPN Error Following Upgrade

the_rock — Fri, 10 Jun 2022 15:57:26 GMT

Im pretty positive its not license issue.

Re: EndPoint VPN Error Following Upgrade

Egenity — Fri, 10 Jun 2022 17:05:10 GMT

This week, I ran in to a very similar situation with a client.

Their environment was R80.10 JHF Take 30 upgrading to R80.10 JHF Take 55.

Upon upgrade, it immediately broke all VPN attempts with a very similar error (unable to obtain Office Mode IP). In this particular situation, office mode IP addresses are administered by DHCP, which may be why the error differs.

This is a known issue in the later JHF releases, and support provided a specific hotfix to repair it.

Here is sk178767 for the issue:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178767&partition=Advanced&product=Remote

Re: EndPoint VPN Error Following Upgrade

the_rock — Fri, 10 Jun 2022 18:53:35 GMT

Thats odd, because I never had that problem with any customers on those versions. Also, error message does not seem to match with what @superd posted originally.

Re: EndPoint VPN Error Following Upgrade

Egenity — Fri, 10 Jun 2022 18:59:49 GMT

Correct. As my post indicated and explained, similar, not the same error message. 😁

"This week, I ran in to a very similar situation with a client. "

"Upon upgrade, it immediately broke all VPN attempts with a very similar error (unable to obtain Office Mode IP). In this particular situation, office mode IP addresses are administered by DHCP, which may be why the error differs."

Re: EndPoint VPN Error Following Upgrade

the_rock — Fri, 10 Jun 2022 19:01:18 GMT

Thats true : - ). Personally, I doubt its related, but if @superd is willing to try, he could also confirm with TAC.