cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN (certificate) problem after upgrade to R80.20

Hello,

after an Upgrade of our Management from R77.30 to R80.20 we had problems with VPN tunnels between our firewall cluster and Checkpoint Appliances (11xx;14xx)

After rollback to R77.30 all VPN are up and running without problems.

Management = R80.20
Cluster Member = R.77.30
1430 Appliance = newest firmware

1120 Appliance = not the latest firmware
They will not be up with following error message (see attachment)

Besides the upgrade, the only change is that management has moved from an IBM hardware server to a VM.

Does anyone have any idea how to fix it?

Regards

Harald

7 Replies
Jerry
Gold

Re: VPN (certificate) problem after upgrade to R80.20

have you tried to re-generate SIC's to ie. one gateway (in order to test if all works just fine) ?

if it does help - you know the drill Smiley Happy

Jerry
0 Kudos

Re: VPN (certificate) problem after upgrade to R80.20

Yes. We have done this. No success.
We also tried to "degrade" the appliance to local management and after policy install switch back to central management. Also no success.

0 Kudos

Re: VPN (certificate) problem after upgrade to R80.20

Hello,

There are SKs, where you can find possible sources of failure because of invalid certificate. 

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

Also I'd like to recommend to check your IKEs by means of :

#vpn debug on
#vpn debug ikeon
#vpn tu

Log Files are:

#$FWDIR/log/ike.elg
#$FWDIR/log/vpnd.elg.

Good luck!

Re: VPN (certificate) problem after upgrade to R80.20

Hi,

we were able to find out that this was a certification issue.

Ike: Main Mode Expected to get certificate whose root CA is ADDTrust_External_CA_Root, got certificate whose root CA is COMODO

Reject Category: Gateway to Gateway authentication failure
After deleting the certificate, the VPN tunnel was established.
The certificate was first installed in 2014 and extended in 2017. With R77.30 in the whole time no problems.
I need to renew and reinstall the certificate because we need it for the SSL extender.
Does anyone have any idea what the problem may have been.
I fear the new certificate could also be problematic.

0 Kudos
Admin
Admin

Re: VPN (certificate) problem after upgrade to R80.20

Possible the VPN certificate expired and just needed to be regenerated.

0 Kudos

Re: VPN (certificate) problem after upgrade to R80.20

No. The certificate was not expired That was not the problem.

0 Kudos
Admin
Admin

Re: VPN (certificate) problem after upgrade to R80.20

Looks like the expected CA of the certificate changed (if I'm reading the error message better than I was before).

That will certainly cause an issue.

0 Kudos