- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hello,
Appreciate any assistance.
VSX R80.40 Take 154 VPN gateway with very old legacy SecureClients (R56) connecting (no office mode).
Everything was working fine until the SSL certificate under IPSec VPN section expired and had to be renewed. After renewal and policy installation, SecureClients failed to connect with "Phase1 Received Notification from Peer: invalid certificate" error message.
Recreating the profile and the site on the clients side didn't help. The error about invalid certificate disappeared, but the site couldn't be created -- no errors on the gateway side, and the client times out. We do get the thumbprint of the new certificate, there is 443/tcp and 500/udp traffic. The client is authenticated (we see successful Radius logs), so Phase 1 is fine. Then we see 264/tcp (FW1_topo) and I think this is where the clients fail, but no errors whatsoever. It looks like they timeout getting the topology, although nothing is blocked on the gateway side.
There were no changes in the configuration of the VPN settings -- only the certificate was renewed.
Thank you.
If I had to guess, your renewed certificate is signed with a SHA-256 hash.
Windows didn’t support SHA-256 until XP SP3.
That means SecureClient R56 probably doesn’t, either.
Hi @PhoneBoy
Checked -- SHA1 is used:
From the management:
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
Error outputting keys and certificates
4146366848:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:615:
4146366848:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
4146366848:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
That's the ICA, what about the actual gateway certificate?
In any case, SecureClient R56 is very much out of support at this point.
What are you running it on, exactly?
From the GUI it says:
Public Key: RSA (1024 bits)
Signature: RSA with SHA1
Not sure how to check it from the console.
We had to use R56 due to the old software that runs on Windows 2003.
Unless you can find something useful in the client logs as @JozkoMrkvicka suggested, not sure what else we can suggest here.
Well, thats a tricky one. R56 client is probably long time unsupported. Can it still work? I have no clue, but here are some things I would check. Btw, excellent job in verifying what you already described 👍
-does zdebug show anything if you grep for say public IP of the user trying to create a site?
-can you do fw monitor or tcpdump for their public IP to see if anything is even trying to hit the firewall?
Andy
I did collect vpnd debug logs -- everything looks fine for the Phase 1, it just never progresses into Phase 2.
It used to work one day ago, the only difference now is that in order to recreate the site clients have to access 264/tcp (FW1_topo)? I checked that the port is listening on the gateway, and I can telnet to it remotely (Accept Remote Access connections implied rule is triggered) .
Tried tcpdump too -- 443/tcp, 500/udp and 264/tcp, nothing else is requested.
Try to enable logs on SecureClient itself (on Windows 2003 workstation). There you should be able to see what is going on.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 94 | |
| 40 | |
| 8 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 |
Tue 28 Jul 2026 @ 11:00 AM (EDT)
Under the Hood - Check Point and Illumio – Modern Network Defense Against AI-Based ThreatsThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 28 Jul 2026 @ 11:00 AM (EDT)
Under the Hood - Check Point and Illumio – Modern Network Defense Against AI-Based ThreatsThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY