This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-08-23 08:30 AM

Problem of connection of users to the VPN

Hello, everyone.

 

We currently have a connection problem for users trying to connect via VPN to the GW (Using Endpoint Security).

 

Initially, everything was working fine with the AD Query method (We have Mobile Access and IA blades enabled).

 

Now, since we migrated the way AD users work, from AD Query to IDC, we are having problems with a lot of users not being able to connect to the VPN.

 

We have checked that in the IDC, if there is an association between an IP + User.

 

But it seems that this information stays in the IDC, and does not send it to the Firewall.

 

Since when we consult for certain user that is seen in the IDC, it does not appear in the "pdp" commands that we apply in the GW.

 

We have made connection tests, with local GW accounts, and everything works fine.

 

Any opinion and/or similar experience you can share?

 

Regards.

0 Kudos
16 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-08-23 08:42 AM

Never had an issue like that before. Question...I assume you are using access roles? If you do pdp monitor user command, do you even see anything?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-23 08:47 AM
In response to the_rock

Yes, we are working the rules with Access Role.

In the SMS logs, the message "Unknown User" appears.

The strange thing is that the users are seen in the IDC (IP+User Association).

But in the GW Cluster, the user is not seen when searching with the command "pdp ...".

So, because of this, remote users cannot connect.

This happened after migrating from AD Query to IDC.

 

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-23 08:50 AM
In response to Matlu

This is the evidence, from what I see with the "pdp" command in the GW.

The user does not appear in the GW.

But this same user does appear in the IDC.

PDP.png

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-23 08:50 AM
In response to Matlu

Make sure LDAP account unit is still there, as thats needed to pull the groups from AD properly, as @PhoneBoy mentioned in another post.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Identity-Collector/m-p/190000/emcs_t/S2h8ZW1ha...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-23 09:14 AM
In response to the_rock

The account that was used to hook the IDC to the AD still exists.

Is there a way to reboot, do a sniffer or capture, that will help us to know why the AD users do not arrive to the GW, but they do arrive to the IDC?

😕

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-23 09:31 AM
In response to Matlu

Reboot wont do anything for this sort of issue. Can you still see same LDAP account unit? Are there any logs for the tested user in smart console? You can do IA debugs TAC gave me while back, hope they give some clues.

Andy

Best,
Andy
"Have a great day and if its not, change it"
IA_fw_debug_procedure.txt
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-23 04:05 PM
In response to the_rock

To test with these TAC debug commands, you would have to test punctually, with a user that is affected with his VPN connection, correct?

Is there a way to "delete" his session, in the IDC, to be able to apply the process from 0, with a punctual user?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-23 04:19 PM
In response to Matlu

Thats right. Im not aware if way to debug IC, as its not a process.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-24 02:55 PM
In response to Matlu

It's not in Identity Collector that you need to delete the user, but in PDP on the relevant gateway.
The identities that relate to a given IP address can be revoked using the CLI command: pdp control revoke x.y.z.w
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide... 

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-24 06:02 PM
In response to PhoneBoy

Hello,

The problem is that users are not "seen" in the GW.

For example:

User: Pepito
IP: 10.10.10.10

This association is seen in the IDC, but in the GW, it is not "seen", that's why I think, that applying the command you suggest, would not help me in this case.

It seems that the relationship between the IDC and the GW is not working well.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-24 06:48 PM
In response to Matlu

If you do pdp monitor ip and then user IP, you dont see anything?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-24 08:15 PM
In response to the_rock

Buddy,

In the GW you do not see the users who have already registered in the IDC.

At the top of this post, I pasted some images of a user.
This user in the IDC, if his IP+User relationship appears, but when you query for this user in the GW, it simply does not see it.

😕

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-25 03:16 AM
In response to Matlu

Maybe try restart IC and see what happens.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-25 05:18 AM
In response to the_rock

We are still reviewing this atypical case.

How do you reset the IDC?

I'm going to try the last command you recommended, let's see how it goes.

😉

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-25 05:25 AM
In response to Matlu

You dont : - ). You either restart it from task manager or simply reboot computer software is installed on.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-08-24 03:59 PM
In response to Matlu

Did you make any progress on this bro? Also, maybe try pdp update all command to see if any difference.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events