This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mr_andy
Explorer
‎2019-07-03 06:04 AM

R80.10/R80.20 not displaying correct number of remote access tunnels

Can anyone help with a strange problem we are experiencing. 

Smartview Monitor has started mis-reporting the number of remote user tunnels.   

vpn_ra-peers.png

the actual number of connected users is only 12,  but cluster member A is saying 383,  and cluster member B is showing 208  ?    if the gateways are restarted or cpstop/cpstart the number changes again.

it is definitely a gateway issue and not a management/smartconsole issue.    on each gateway if I run the following command -   cpstat -f all vpn    and check the value of  'IPsec number of VPN-1 RA peers" I get the same result shown above, e.g.   383 on the A member.

if I run the following command:

fw tab -t userc_users -s

this shows the correct number of connected remote access users under the #VALS column.

anyone seen this before and know of a fix ?   looks like we need to reset the count somewhere.

We have seen this behaviour on two of our clustered gateways and first occurred after upgrade from R77.30.    One pair of clusters is running R80.10 with JHFA 189,  the other is  R80.20 with JHFA 33  and both are exhibiting the same issue.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-07-03 06:08 PM

Best to engage the TAC here.
0 Kudos
Licensing_User
Contributor
‎2019-10-08 08:45 AM

Did you get to the bottom of this? We see the same problem on R80.30 Take 50

0 Kudos
mr_andy
Explorer
‎2019-10-09 12:59 AM
In response to Licensing_User

Hello

we tried the latest Jumbo Take 225 for R80.10 but this did not resolve the issue.

we have an open SR with Check Point on this problem, the latest update is that they have reproduced the issue and are currently working on a fix.     

 

0 Kudos
mr_andy
Explorer
‎2019-10-09 01:00 AM
In response to mr_andy

if you can I would suggest engaging with TAC as well,  as it looks as though this is affecting more than one customer.

0 Kudos
Daniel_Castleto
Explorer
Explorer
‎2019-10-11 12:59 AM
In response to mr_andy

Hi,

 

I have a TAC case currently logged for this exact issue. working fine under R77.30 but afterR80.20 upgrade it does this.

 

TAC have managed to replicate in a lab and are currently working on a fix. I will keep you posted on progress.

 

Regards,

 

Dan

 

0 Kudos
Filippos_Tsikog
Participant
‎2020-04-06 03:30 AM
In response to Daniel_Castleto

Hi, Can you tell us eventually what happened with the results of the TAC Case?

Regards

Kostas

 

0 Kudos
Daniel_Castleto
Explorer
Explorer
‎2020-04-06 05:41 AM
In response to Filippos_Tsikog

Hi All,

Checkpoint provided 2 separate hotfixes. Neither of them resolved the issue.

Ongoing Hotfix 270 mentions the following:

PRJ-2978,
VPNS2S-417		VPNSmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object.

 

Jumbo Hotfix Take 272 went GA yesterday. I am going to recommend to my client to install JHF Take 272.

Let me know if you managed to get it installed before my customer.

Regards,

Dan

0 Kudos
Filippos_Tsikog
Participant
‎2020-04-06 12:32 PM
In response to Daniel_Castleto

Our software versions are different from yours, we have R80.30 for management server and R80.20 for firewalls (active-passive) and after upgrading to the latest jumbo fix both Management server and firewalls we have the same results. So if anyone else has any idea what to do next please you are welcome.

0 Kudos
Albert_Wilkes
Collaborator
‎2020-05-14 04:24 AM
In response to Filippos_Tsikog

We found this is still an issue in R80.30 Take: 191

CP have provided a HF for another customer and lower JHF but the customer have yet to install and test to see if it fixes this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events