<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign in SASE and Remote Access</title>
    <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/173849#M7211</link>
    <description>&lt;P&gt;Hi Valentin1, Id be really interested in touching base with you on this one. I have two seperate environments where Windows Machine auth works but MAC does not. The full certificate chain from the AD joined CA server is present in the system keychain of the MAC and we are using latest version of endpoint. TAC actually asked us to contact SE as they couldnt work out what the problem is...We have tried the solution from you and bmartins but without success.Any advice or information you can provide (that might not be in the documentation) would be very much appreciated.&lt;/P&gt;</description>
    <pubDate>Tue, 07 Mar 2023 12:33:06 GMT</pubDate>
    <dc:creator>LazarusG</dc:creator>
    <dc:date>2023-03-07T12:33:06Z</dc:date>
    <item>
      <title>R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141420#M7205</link>
      <description>&lt;P&gt;Dear all,&lt;/P&gt;&lt;P&gt;We have rolled out machine certificate authentication in our company and it's working pretty well on Windows machines (both domain-joined and workgroup).&lt;/P&gt;&lt;P&gt;Starting to use this setup on our Mac devices does not work with the error message below (from trac.log):&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::getSystemIdentityByName: Found suitable candidate
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] KeychainHelper::cmdSignWithName: Failed to sign. Error code: '-25308'
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: length too short
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: Return value : -1005
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] Rais_CAPICERT::capi_cert_sign: Failed to sign buffer
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] capi_cert_sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Machine_Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][IKE] create_MM5(hybrid authentication): Failed to sign hash with the machine's certificate (-996)
[ 11888 0x1118f1600][14 Feb 12:03:34][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
:format (1.0)
:id (ClipsMessagesInternalError)
:def_msg ("Internal error; connection failed. More details may be available in the logs")
:arguments ()
)​&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Mac device hostname is matched with the certificate we have imported in the System keychain but it is failing to sign it?&lt;/P&gt;&lt;P&gt;Endpoint Security client version is E86.20, latest build.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Do you have any hints on this?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers!&lt;/P&gt;&lt;P&gt;Bruno&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 14 Feb 2022 12:34:01 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141420#M7205</guid>
      <dc:creator>bmartins-EUDA</dc:creator>
      <dc:date>2022-02-14T12:34:01Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141719#M7206</link>
      <description>&lt;P&gt;Recommend opening a TAC case.&lt;BR /&gt;In order to investigate, you'll probably need something like the following:&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;On the Client - Mac machine:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN&gt;Right click on the Endpoint connect Icon&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Click "VPN Options"&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Click on the "Advanced" Tab &amp;gt; tick the box "Enable Logging" and change to "Extended"&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Click close.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;On the GW side:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN&gt;Open SSH connection to the Security Gateway and log in as Expert;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Initiate VPN debug on the Security Gateway:&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;[Expert@HostName]# vpn debug trunc&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;[Expert@HostName]# vpn debug on TDERROR_ALL_ALL=5&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;&amp;gt;&amp;gt;&amp;gt;&amp;gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;On the Client side:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN&gt;Right Click again on the Endpoint connect Icon.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Click "VPN Options"&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Click on the "Advanced" Tab &amp;gt; click on the button "Collect Logs"&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Change from "Extended" to "Basic"&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;A cab file will be created with the entire debug files inside.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Provide the client log file called trlog_xx-xx-2021_time.cab&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;On the GW side:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN&gt;Open SSH connection to the Security Gateway and log in as Expert;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;Stop VPN debug on the FW:&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;[Expert@HostName]# vpn debug off&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;[Expert@HostName]# vpn debug ikeoff&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;The following files from the Security Gateway should be reviewed:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;SPAN&gt;$FWDIR/log/ike.elg&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN&gt;$FWDIR/log/vpnd.elg&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Wed, 16 Feb 2022 23:06:41 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141719#M7206</guid>
      <dc:creator>PhoneBoy</dc:creator>
      <dc:date>2022-02-16T23:06:41Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141858#M7207</link>
      <description>&lt;P&gt;Could you please check if&amp;nbsp;Certificate private key is&amp;nbsp; allowed to access ?&lt;/P&gt;
&lt;DIV id="tinyMceEditor_b59292d9f1524fValentin1_0" class="mceNonEditable lia-copypaste-placeholder"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;DIV id="tinyMceEditor_b59370bb0cb8c2Valentin1_0" class="mceNonEditable lia-copypaste-placeholder"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;DIV id="tinyMceEditor_b59370bb0cb8c2Valentin1_1" class="mceNonEditable lia-copypaste-placeholder"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="macm.jpg" style="width: 999px;"&gt;&lt;img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15437iF7B14D9E527106EA/image-size/large?v=v2&amp;amp;px=999" role="button" title="macm.jpg" alt="macm.jpg" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 18 Feb 2022 09:19:31 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141858#M7207</guid>
      <dc:creator>Valentin1</dc:creator>
      <dc:date>2022-02-18T09:19:31Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141863#M7208</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;That was one of my suspicions because Check Point Endpoint Security client is not listed and whenever I change any option on that window and click save, it reverts back to its default value.&lt;/P&gt;&lt;P&gt;I am not a Mac user and not sure what is going on there.&lt;/P&gt;&lt;P&gt;Thank you!&lt;/P&gt;</description>
      <pubDate>Fri, 18 Feb 2022 09:37:48 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141863#M7208</guid>
      <dc:creator>bmartins-EUDA</dc:creator>
      <dc:date>2022-02-18T09:37:48Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141878#M7209</link>
      <description>&lt;P&gt;You could try&amp;nbsp; to use:&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;sudo security import PATH_TO_CERT -P CERT_PASSWORD -k /Library/Keychains/System.keychain -T /Library/Application\ Support/Checkpoint/Endpoint\ Security /Endpoint \ Connect/TracSrvWrapper&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This command imports certificate and adds service to the Allowed Apps List&lt;/P&gt;</description>
      <pubDate>Fri, 18 Feb 2022 10:50:47 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141878#M7209</guid>
      <dc:creator>Valentin1</dc:creator>
      <dc:date>2022-02-18T10:50:47Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141918#M7210</link>
      <description>&lt;P&gt;Thanks!&lt;/P&gt;&lt;P&gt;It also works if we do it this way:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Unlock system keychain&lt;/LI&gt;&lt;LI&gt;Import PFX to login keychain&lt;/LI&gt;&lt;LI&gt;Change access control for the private key in the login keychain&lt;/LI&gt;&lt;LI&gt;Copy certificate and private key from login to system keychain&lt;/LI&gt;&lt;/OL&gt;</description>
      <pubDate>Fri, 18 Feb 2022 15:13:21 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/141918#M7210</guid>
      <dc:creator>bmartins-EUDA</dc:creator>
      <dc:date>2022-02-18T15:13:21Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/173849#M7211</link>
      <description>&lt;P&gt;Hi Valentin1, Id be really interested in touching base with you on this one. I have two seperate environments where Windows Machine auth works but MAC does not. The full certificate chain from the AD joined CA server is present in the system keychain of the MAC and we are using latest version of endpoint. TAC actually asked us to contact SE as they couldnt work out what the problem is...We have tried the solution from you and bmartins but without success.Any advice or information you can provide (that might not be in the documentation) would be very much appreciated.&lt;/P&gt;</description>
      <pubDate>Tue, 07 Mar 2023 12:33:06 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/173849#M7211</guid>
      <dc:creator>LazarusG</dc:creator>
      <dc:date>2023-03-07T12:33:06Z</dc:date>
    </item>
    <item>
      <title>Re: R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign</title>
      <link>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/184054#M7212</link>
      <description>&lt;P&gt;also, &lt;A href="https://support.checkpoint.com/results/sk/sk181067" target="_self"&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;sk181067&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt; was published very recently&lt;/P&gt;</description>
      <pubDate>Thu, 15 Jun 2023 14:28:26 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-40-Mac-OS-unable-to-connect-to-Remote-Access-VPN-Failed-to/m-p/184054#M7212</guid>
      <dc:creator>LazarusG</dc:creator>
      <dc:date>2023-06-15T14:28:26Z</dc:date>
    </item>
  </channel>
</rss>

