Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alias
Contributor

Office Mode IP Assignment failure - all IP address were allocated or the user is not authorized

Hey Mates,

 

I'd like to share all the fun we had today and ask the community, if anybody encountered similar problems or can explain what went wrong here. Or maybe as a little help for fellow admins, cause we didn't find any article that was about it.

For starters, we are currently in network redesign phase. As part of this our management server needed to get a new IP adress. This is covered in sk40993 and we thought easy peasy no problem. However, we encountered a mayor outage of our VPN service  that we were luckily able to workaround by now. However, we are still far from a point of understanding what the heck exactly happened.

So, we were happily following the article. After we finished the configurations, suddenly we were flooded with tickets that our colleagues were unable to connect via VPN anymore. All of them got the message:  Office Mode IP Assignment failure - all IP address were allocated or the user is not authorized. The firewall logs showed that they all managed to successfully authenticate but didn't get an IP adress.

So we started looking. All our configurations seemed fine, we had changed nothing at the gateway.

After a while we realised that the sk40993 says: Update the licenses for the new IP Address of the Security Management Server - as in plural. Through the Licenses tab in smart console we found that the licenses of our gateways were connected to the old IP of the management server. We figured that we missed something and were supposed to update the licenses of the gateway too

So, there we went and got new licenses for the gateway from the User Center, loaded them into the Gateway - nothing happened and the users were still unable to work. This was 5 hours into the workday, our support had raised a ticket with checkpoint but we hadn't heard back, a rollback was considered but due to the strangeness of the problem we were unsure if it would solve the problem. Our support gave us some bla about certificates which didn't help either.

Then we discovered that we actually had a constant 10 users connected via VPN. Shortly after we found an article which stated that without a valid license the gateway can have 5 VPN Users (why 10 you may ask? we dont know. maybe because we have a cluster?). So we updated the license, but were still without license?

In our desparation we decided to get a "All feature" eval license and uploaded it into our VPN gateway. Voila, 10 seconds later the users were successfully conecting.

That is our state now. We are still waiting to hear back from CP support and hope we will have a session soon, to figure out what had happened and how to get back to a normal state, i.e. with real licenses.

 

Did anybody else ever encounter a similar problems?

How did you handle it?

Can anybody explain what happened here?

 

I'll let you know, if we get any information concerning the cause.

Cheers

D

 

 

 

0 Kudos
5 Replies
the_rock
Legend
Legend

I had seen that few times and its the license issue 100% of the time. Im sorry brother, not a licensing expert, but I believe the default is only 5 users, if Im not mistaken. I am positive that sort of error would not have anything to do with your gateway config and how office mode is set.

0 Kudos
Tim_Onasch
Explorer

Hi Alias and community,

I ran into the exact same issue a few weeks ago after I migrated to a new SMS and changed to hostname of the primary SMS in the process. Folowing sk164055  I had to detach licences, remove the internal ca, recreate all SICs and also had to temporarly remove my security gateways with the vpn-blade from their vpn communities. 

Afterwards I tested with a few vpn-connections and thought everything is fine but I've never tested with 10 or more concurrent vpn connections. The next morning we faced the same issue you had. We are using the Harmony Endpoint client (managed through the infinity portal) for our remote access vpns. So according to sk67820 I shouldn't need a special license for the mobile access blade on the gateways. At least from my understanding.

However after some troubleshooting I realised that the mobile access blade was disabled, which shouldn't be the case. Altough installing the policy still didn't fix my issue. As a workaround I attached a "All feature"-EVAL-license to the gateways and installed the policy again. Afterwards I was able to get more than 10 concurrent vpns running. 

What was the solution to your issue?

Did you find an explanation for the maximum of 10 concurrent vpn connections? 

Thanks and best regards,

Tim

0 Kudos
_Val_
Admin
Admin

The default GW license only includes 5 Office Mode users. If you need more, you need an additional license.

Once you apply EVAL license, it includes unlimited Office Mode addresses, hence the described result.

0 Kudos
Tim_Onasch
Explorer

Hi Val,

If that is the case, shouldn't I be limited to 5 concurrent vpn connections instead of 10 without a additional license?

Furthermore sk67820 indicates that I don't need a additional license for the gateways with the harmony endpoint vpns or am I missing something?

Thanks and best regards

0 Kudos
_Val_
Admin
Admin

Yes, should be 5 only. However, the topic starter was talking about his test, which included 10 clients only. Not sure I understand your point

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events