This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Networking-TNL
Participant
‎2022-07-18 04:18 AM
Jump to solution

Sometimes error "negotiation with site failed"

Hello All,

I'm currently configuring a new cluster with a new mgmt-server only for VPN.

i've build on a VSX-cluster 2 VS's, one test and one production VS.

VS3, I've build the test vs, with smartcard authentication which connects to our external AD. machine/user are handled by our external domain and the smartcard authentication is as well handled on this external domain, this solution works properly.

VS4, I've build the production VS, which the machine/user connects to our internal domain and the MFA is handled by Radius against the external AD.

on this VS i have the issue when i'm trying to logon that I'll get the error "Negotiation with site failed". I don't get it always, the other attempts are working well, let's say it fails 1 out of 3 attempts. Smartlog says the user does not belong to the remote community.

The AD LDAP account unit of both domains are identical in the management server and in the Remote Access community in the participant user groups i have added a user group based on a security group.

Does anybody have an idea what could go wrong?

0 Kudos
1 Solution

Accepted Solutions
Networking-TNL
Participant
‎2022-07-27 05:16 AM
In response to Networking-TNL
Jump to solution

This topic can be closed, solved this issue by configuring specifically the proper active directory under the VS > other > user directory and configure the proper AD.

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2022-07-18 04:59 AM
Jump to solution

Intermittent connectivity issues with LDAP maybe? Do you have multiple servers defined in a single LDAP account unit object?

 

0 Kudos
Networking-TNL
Participant
‎2022-07-19 01:49 AM
In response to _Val_
Jump to solution

Tried both, started with ldap account unit with three AD-servers and changed it later to one and also switcht from one to another one, but still the same issues unfortunately.

0 Kudos
the_rock
Legend
Legend
‎2022-07-19 06:06 AM
Jump to solution

Are you able to do say fw ctl zdebug + drop | grep username command (just replace username with actual user itself). Not sure this may give us more info, but worth a try.

0 Kudos
Networking-TNL
Participant
‎2022-07-19 06:18 AM
In response to the_rock
Jump to solution

nope doesn't give any results.

0 Kudos
Networking-TNL
Participant
‎2022-07-20 03:42 AM
In response to Networking-TNL
Jump to solution

i'll found in the VPND.elg that when the authentication fails, the checkpoint did only LDAP-requests to our external domain controllers instead of the internal domain.

When i try to remove the specific participant groups in de remote access community and change it to "all rules" it works properly.

But it is strangely working properly on the office mode assigned group (this is exact the same group as a configured in the participant user groups).

How is it possible that, checkpoint does the request to the wrong AD?

0 Kudos
Networking-TNL
Participant
‎2022-07-27 05:16 AM
In response to Networking-TNL
Jump to solution

This topic can be closed, solved this issue by configuring specifically the proper active directory under the VS > other > user directory and configure the proper AD.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top