Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Problem of connection of users to the VPN

Hello, everyone.

 

We currently have a connection problem for users trying to connect via VPN to the GW (Using Endpoint Security).

 

Initially, everything was working fine with the AD Query method (We have Mobile Access and IA blades enabled).

 

Now, since we migrated the way AD users work, from AD Query to IDC, we are having problems with a lot of users not being able to connect to the VPN.

 

We have checked that in the IDC, if there is an association between an IP + User.

 

But it seems that this information stays in the IDC, and does not send it to the Firewall.

 

Since when we consult for certain user that is seen in the IDC, it does not appear in the "pdp" commands that we apply in the GW.

 

We have made connection tests, with local GW accounts, and everything works fine.

 

Any opinion and/or similar experience you can share?

 

Regards.

0 Kudos
16 Replies
the_rock
Legend
Legend

Never had an issue like that before. Question...I assume you are using access roles? If you do pdp monitor user command, do you even see anything?

Andy

0 Kudos
Matlu
Advisor

Yes, we are working the rules with Access Role.

In the SMS logs, the message "Unknown User" appears.

The strange thing is that the users are seen in the IDC (IP+User Association).

But in the GW Cluster, the user is not seen when searching with the command "pdp ...".

So, because of this, remote users cannot connect.

This happened after migrating from AD Query to IDC.

 

0 Kudos
Matlu
Advisor

This is the evidence, from what I see with the "pdp" command in the GW.

The user does not appear in the GW.

But this same user does appear in the IDC.

PDP.png

0 Kudos
the_rock
Legend
Legend

Make sure LDAP account unit is still there, as thats needed to pull the groups from AD properly, as @PhoneBoy mentioned in another post.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector/m-p/190000/emcs_t/S2h8ZW1ha...

0 Kudos
Matlu
Advisor

The account that was used to hook the IDC to the AD still exists.

Is there a way to reboot, do a sniffer or capture, that will help us to know why the AD users do not arrive to the GW, but they do arrive to the IDC?

😕

0 Kudos
the_rock
Legend
Legend

Reboot wont do anything for this sort of issue. Can you still see same LDAP account unit? Are there any logs for the tested user in smart console? You can do IA debugs TAC gave me while back, hope they give some clues.

Andy

0 Kudos
Matlu
Advisor

To test with these TAC debug commands, you would have to test punctually, with a user that is affected with his VPN connection, correct?

Is there a way to "delete" his session, in the IDC, to be able to apply the process from 0, with a punctual user?

0 Kudos
the_rock
Legend
Legend

Thats right. Im not aware if way to debug IC, as its not a process.

0 Kudos
PhoneBoy
Admin
Admin

It's not in Identity Collector that you need to delete the user, but in PDP on the relevant gateway.
The identities that relate to a given IP address can be revoked using the CLI command: pdp control revoke x.y.z.w
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide... 

0 Kudos
Matlu
Advisor

Hello,

The problem is that users are not "seen" in the GW.

For example:

User: Pepito
IP: 10.10.10.10

This association is seen in the IDC, but in the GW, it is not "seen", that's why I think, that applying the command you suggest, would not help me in this case.

It seems that the relationship between the IDC and the GW is not working well.

 

0 Kudos
the_rock
Legend
Legend

If you do pdp monitor ip and then user IP, you dont see anything?

0 Kudos
Matlu
Advisor

Buddy,

In the GW you do not see the users who have already registered in the IDC.

At the top of this post, I pasted some images of a user.
This user in the IDC, if his IP+User relationship appears, but when you query for this user in the GW, it simply does not see it.

😕

0 Kudos
the_rock
Legend
Legend

Maybe try restart IC and see what happens.

0 Kudos
Matlu
Advisor

We are still reviewing this atypical case.

How do you reset the IDC?

I'm going to try the last command you recommended, let's see how it goes.

😉

0 Kudos
the_rock
Legend
Legend

You dont : - ). You either restart it from task manager or simply reboot computer software is installed on.

Andy

0 Kudos
the_rock
Legend
Legend

Did you make any progress on this bro? Also, maybe try pdp update all command to see if any difference.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events