Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Networking-TNL
Participant
Jump to solution

Sometimes error "negotiation with site failed"

Hello All,

I'm currently configuring a new cluster with a new mgmt-server only for VPN.

i've build on a VSX-cluster 2 VS's, one test and one production VS.

VS3, I've build the test vs, with smartcard authentication which connects to our external AD. machine/user are handled by our external domain and the smartcard authentication is as well handled on this external domain, this solution works properly.

VS4, I've build the production VS, which the machine/user connects to our internal domain and the MFA is handled by Radius against the external AD.

on this VS i have the issue when i'm trying to logon that I'll get the error "Negotiation with site failed". I don't get it always, the other attempts are working well, let's say it fails 1 out of 3 attempts. Smartlog says the user does not belong to the remote community.

The AD LDAP account unit of both domains are identical in the management server and in the Remote Access community in the participant user groups i have added a user group based on a security group.

Does anybody have an idea what could go wrong?

0 Kudos
1 Solution

Accepted Solutions
Networking-TNL
Participant

This topic can be closed, solved this issue by configuring specifically the proper active directory under the VS > other > user directory and configure the proper AD.

View solution in original post

7 Replies
_Val_
Admin
Admin

Intermittent connectivity issues with LDAP maybe? Do you have multiple servers defined in a single LDAP account unit object?

 

0 Kudos
Networking-TNL
Participant

Tried both, started with ldap account unit with three AD-servers and changed it later to one and also switcht from one to another one, but still the same issues unfortunately.

0 Kudos
the_rock
Legend
Legend

Are you able to do say fw ctl zdebug + drop | grep username command (just replace username with actual user itself). Not sure this may give us more info, but worth a try.

0 Kudos
Networking-TNL
Participant

nope doesn't give any results.

0 Kudos
Networking-TNL
Participant

i'll found in the VPND.elg that when the authentication fails, the checkpoint did only LDAP-requests to our external domain controllers instead of the internal domain.

When i try to remove the specific participant groups in de remote access community and change it to "all rules" it works properly.

But it is strangely working properly on the office mode assigned group (this is exact the same group as a configured in the participant user groups).

How is it possible that, checkpoint does the request to the wrong AD?

0 Kudos
Networking-TNL
Participant

This topic can be closed, solved this issue by configuring specifically the proper active directory under the VS > other > user directory and configure the proper AD.

_Val_
Admin
Admin

Great to hear

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events