Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mr_andy
Explorer

R80.10/R80.20 not displaying correct number of remote access tunnels

Can anyone help with a strange problem we are experiencing. 

Smartview Monitor has started mis-reporting the number of remote user tunnels.   

vpn_ra-peers.png

the actual number of connected users is only 12,  but cluster member A is saying 383,  and cluster member B is showing 208  ?    if the gateways are restarted or cpstop/cpstart the number changes again.

it is definitely a gateway issue and not a management/smartconsole issue.    on each gateway if I run the following command -   cpstat -f all vpn    and check the value of  'IPsec number of VPN-1 RA peers" I get the same result shown above, e.g.   383 on the A member.

if I run the following command:

fw tab -t userc_users -s

this shows the correct number of connected remote access users under the #VALS column.

anyone seen this before and know of a fix ?   looks like we need to reset the count somewhere.

We have seen this behaviour on two of our clustered gateways and first occurred after upgrade from R77.30.    One pair of clusters is running R80.10 with JHFA 189,  the other is  R80.20 with JHFA 33  and both are exhibiting the same issue.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Best to engage the TAC here.
0 Kudos
Licensing_User
Explorer

Did you get to the bottom of this? We see the same problem on R80.30 Take 50

0 Kudos
mr_andy
Explorer

Hello

we tried the latest Jumbo Take 225 for R80.10 but this did not resolve the issue.

we have an open SR with Check Point on this problem, the latest update is that they have reproduced the issue and are currently working on a fix.     

 

0 Kudos
mr_andy
Explorer

if you can I would suggest engaging with TAC as well,  as it looks as though this is affecting more than one customer.

0 Kudos
Daniel_Castleto
Explorer

Hi,

 

I have a TAC case currently logged for this exact issue. working fine under R77.30 but afterR80.20 upgrade it does this.

 

TAC have managed to replicate in a lab and are currently working on a fix. I will keep you posted on progress.

 

Regards,

 

Dan

 

0 Kudos
Filippos_Tsikog
Participant

Hi, Can you tell us eventually what happened with the results of the TAC Case?

Regards

Kostas

 

0 Kudos
Daniel_Castleto
Explorer

Hi All,

Checkpoint provided 2 separate hotfixes. Neither of them resolved the issue.

Ongoing Hotfix 270 mentions the following:

PRJ-2978,
VPNS2S-417
VPNSmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object.

 

Jumbo Hotfix Take 272 went GA yesterday. I am going to recommend to my client to install JHF Take 272.

Let me know if you managed to get it installed before my customer.

Regards,

Dan

0 Kudos
Filippos_Tsikog
Participant

Our software versions are different from yours, we have R80.30 for management server and R80.20 for firewalls (active-passive) and after upgrading to the latest jumbo fix both Management server and firewalls we have the same results. So if anyone else has any idea what to do next please you are welcome.

0 Kudos
Albert_Wilkes
Collaborator

We found this is still an issue in R80.30 Take: 191

CP have provided a HF for another customer and lower JHF but the customer have yet to install and test to see if it fixes this.

0 Kudos