This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
speder688
Explorer
‎2024-07-04 11:01 AM

VPN problem -- 1/4 to connect

hello the team, 

recently I faced a problem on VPN connection, and I don't found the main reason, in fact I manage 2 different company (each one have a checkpoint), 

the first company the VPN work properly and no problem, since 1 year the second company have exactly the same version and same configuration, but when a user try to connect to vpn he get several error (sometimes host unreachable, others disconnect ...) and arrive to connect after 3 to 5 times, 

I try to make some packet capture from client machine but didn't found important thing (when client send handshake request don't get the response) even I can ping the VPN from public network, 

I need a help to resolve this problem, may be it's stupid things that jump from my head and may be a thing that someone passed by, 

it's possible to provide a packet capture example to make comparaison between ? 

in Wireshark I try to found those steps, is this the way how Checkpoint work ? 

another point please, is there a method to make packet capture in checkpoint using GUI (like fortigate or Cisco Asa) and get pcap file in output, 

 

thanks in advance 

 
 

1-6-3.png

 

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2024-07-04 11:23 AM

K, lets start with basics here. Some questions...

1) Did this ever work before?

2) What type of client is it? Barebone one or EDR (ie harmony endpoint)?

3) Regardless of answer to 2, did you test with different versions?

4) Does same issue happen to everyone?

5) Did you run capture on tunnel test packets?

Tunnel test is port 18234, so you can try this on the fw when testing -> fw monitor -e "accept port(18234);"

Best,

Andy

0 Kudos
speder688
Explorer
‎2024-07-04 11:32 AM
In response to the_rock

Thank you for your quick response, below the answers for your questions

1) Did this ever work before?  --> nope we just start it recently, and since we face this issue 

2) What type of client is it? Barebone one or EDR (ie harmony endpoint)? --> the Client is Check Point Mobile 

3) Regardless of answer to 2, did you test with different versions? --> Yes 

4) Does same issue happen to everyone? --> Yes all have the same Issue, Even I try with new Computer

5) Did you run capture on tunnel test packets?  --> What the best way to do that please ??

0 Kudos
the_rock
Legend
Legend
‎2024-07-04 11:46 AM
In response to speder688

You can run command I gave from expert mode of the firewall. Also, you can run fw ctl zdebug + drop | grep x.x.x.x, just replace x.x.x.x with IP user is coming from.

Alternatively, turn on vpn debugs.

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

get iked and vpnd files from $FWDIR/log dir

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-08 11:08 AM

What version/JHF of the gateway?
What client (and version)?
If you execute tcpdump from the gateway, do you see the VPN client initiating traffic?
Do you see any logs in SmartView when the user tries to connect?

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-07-08 12:14 PM

WireShark capture is not really here the tool to troubleshoot. The data is encrypted so we do not know what happens.

I would start with to focus on SK that are related to disconnect and VPN clients. You can also consider VPN debug, this will give you more info. Debug can be done central on the firewall or even on the client (depending what vpn client is running). 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top