This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KevinA
Participant
‎2020-08-18 04:33 AM

Drops on Remote Access VPN

Hi All,

 

So we have configured Remote access (IP Sec) and have a strange issue with random packet drops to internal network hosts.

172.16.10.2 is the office mode IP and 192.1.1.5 is the DNS server inside the network.

All the traffic is being forced through the gateway, so no split tunnel..

The client we are using is checkpoint mobile and no mobile access blade enabled.

My VPN domain is manually defined and only includes the 192.1.1.0/24 subnet.

I did come across this when running a debug:

[Expert@FP-CP-VM:0]# fw ctl zdebug + drop | grep 172.16.10.2
@;6537067;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=17 172.16.10.2:56289 -> 192.1.1.5:53 dropped by vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;

 

What exactly does this mean - vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;

 

Has any one else come across this issue?

I'm still learning my way around checkpoint, so please let me know if you need any additional outputs or information.

 

Cheers,

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-08-18 06:47 AM

Does your gateway have more than one external interface or ISP?  If so you need to check "Support connectivity enhancement for gateways with multiple external interfaces" on the VPN Clients...Office Mode screen of your gateway object and reinstall policy.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
KevinA
Participant
‎2020-08-18 07:15 AM
In response to Timothy_Hall

Hi Timothoy, its already selected..

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2020-08-18 07:04 AM

Hi @KevinA,

Just an idea!

  1. Login to the Smart Dashboard.
  2. Click 'Gateways & Server > VPN Client > Office Mode' and search for "Office Mode Enable With Multiple Interfaces:"
  3. Select checkbox for "True".
    A1.JPG

  4. Run the below command in expert mode to clear the users check table:

    [Expert@GW]# fw tab -t userc_users -x -y

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
KevinA
Participant
‎2020-08-18 11:55 PM

@Timothy_Hall/ @HeikoAnkenbrand,

Thank you both 🙂

the option was already selected.

running fw tab -t userc_users -x -y, got rid of that drop, however i see this message as well frequently?

Will you be able to point me in the right direction?

@;6684711;[cpu_0];[SIM-204585957];handle_vpn_encryption: ipsec_encrypt failed. Dropping packet... conn: <203.39.119.20,8443,172.16.10.2,59930,6>;
@;6684711;[cpu_0];[SIM-204585957];sim_pkt_send_drop_notification: (0,2) received drop, reason: Encryption Failed, conn: <203.39.119.20,8443,172.16.10.2,59930,6>;

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-08-19 04:32 AM
In response to KevinA

Looks like the source IP of this traffic got NATted inappropriately to 203.x.x.x, or the VPN user is trying to hit a publicly-routable NAT address inside the VPN tunnel.  They need to use the internal, non-NAT address.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events