Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wayne_Hammond
Collaborator

R82 to R82.10 - VPN Issues

Hi,

Had a weird issue that has never happened before. Upgrading caused a weird VPN issue going from R82 to R82.10

Upgrade worked fine, running tests, last one VPN failed - when testing with Capsule via Android, IOS or Windows I got capsule conenctions failing - message either malfomed reply from site or SSL error - failed to read data from site

Logs showed certificate mismatch 

When connecting - VPN is connecting to fw2.*******.com, but gateway present default certificate 

CN = ****** VPN Certificate

No matter what I do to state use fw2 cert, still fails

Any thoughts or ideas greatly appreciated

Currently rolled back snapshot so I can get VPN's working

Regards

Wayne

0 Kudos
11 Replies
Lesley
MVP Gold
MVP Gold

Did you install a recent jumbo update after the R82.10 installation? Otherwise you will encounter:

PRJ-66998,

PRJ-67000,

PRJ-67034,

PMTR-124920,

PRHF-44366

VPN, Internal CA

Starting March 1st, 2026, newly created certificates and newly generated CRL may fail validation. Refer to sk184766.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Wayne_Hammond
Collaborator

Cheers, so the 15th Jun R82.10 build doesnt include the CRL validation HF?

 

 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

If you upgraded using the combined R82.10 / JHF take 24 package, then yes that fix was included. 

0 Kudos
Wayne_Hammond
Collaborator

yes i used - R82.10 Security Gateway + JHF T24 for Appliances and Open Servers

 
So still a bit confused
0 Kudos
PhoneBoy
Admin
Admin

Aside from the cert thing @Lesley mentioned, just confirming you installed policy AFTER upgrading to R82.10?
Installing policy with the gateway object set to the correct version is a necessary post-upgrade step.

0 Kudos
Wayne_Hammond
Collaborator

I pushed policy

0 Kudos
Wayne_Hammond
Collaborator

As a follow up i built an lab test R82 open server in VMware - configured it, this time just using default certificate - VPN works from test laptop.  Took a snapshot - upgraded to R82.10 - changed build, pushed policy - VPN fails - so something else is happening I think?

0 Kudos
PhoneBoy
Admin
Admin

Best to get TAC involved here.

0 Kudos
Wayne_Hammond
Collaborator

I have logged a case with TAC - in the meantime here is some further info, to see if you guys can possibly assist?

I have two standalone (non-clustered) gateways:

  • FW1 – currently running R81.20
  • FW2 – currently running R82

The current Remote Access VPN Community contains FW1 only.

Capsule VPN works on both
Endpoint Security VPN works on FW1 - which is fine for our needs as it is used as primary work connection - staff use FW2 when we need to work on FW1.
 
FW2 (R82)
  • NOT a member of the Remote Access Community
  • IPsec VPN configured
  • VPN Clients configured
  • Mobile Access configured

Result:

Capsule VPN works successfully
 
(Although Endpoint Security VPN is not currently used against this gateway.)

R82.10 Testing

When FW2 is upgraded to R82.10, Capsule VPN fails unless FW2 is added to the Remote Access Community.

After adding FW2 to the Remote Access Community and installing policy:

Capsule VPN works
Endpoint Security VPN works
 
 

So has there has been a behavioural or configuration change in R82.10 which now requires a Security Gateway to be included in a Remote Access Community for Remote Access VPN functionality?

My understanding is that:

  • FW2 on R82 successfully accepts Capsule VPN connections without being a member of the Remote Access Community.
  • The same gateway on R82.10 does not.
  • Adding the R82.10 gateway to the Remote Access Community immediately resolves the issue.

Is this:

  1. Expected behaviour in R82.10?

 

I have built a VM R82 - taken a snapshot - configured it exactly like my FW2 and Capsule connections work.

Upgrade to R82.10 Capsule fails, make it a member of Remote Access VPN community, Capsule and Endpoint work.

So there is clear picture R82.10 requires RA VPN, whereas R82 seemed not to be so fussy?

So is there;

  1. A documented configuration requirement that was not enforced in earlier releases?
  2. A known issue/PMTR affecting gateways not participating in a Remote Access Community?
0 Kudos
PhoneBoy
Admin
Admin

Based on your description and the fact we require the gateway being in the RemoteAccess VPN community for other clients, I'd say it was a requirement not enforced in earlier releases.
TAC should be able to confirm.

0 Kudos
Wayne_Hammond
Collaborator

Thanks - I will wait for TAC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events