Hey Mates,
I'd like to share all the fun we had today and ask the community, if anybody encountered similar problems or can explain what went wrong here. Or maybe as a little help for fellow admins, cause we didn't find any article that was about it.
For starters, we are currently in network redesign phase. As part of this our management server needed to get a new IP adress. This is covered in sk40993 and we thought easy peasy no problem. However, we encountered a mayor outage of our VPN service that we were luckily able to workaround by now. However, we are still far from a point of understanding what the heck exactly happened.
So, we were happily following the article. After we finished the configurations, suddenly we were flooded with tickets that our colleagues were unable to connect via VPN anymore. All of them got the message: Office Mode IP Assignment failure - all IP address were allocated or the user is not authorized. The firewall logs showed that they all managed to successfully authenticate but didn't get an IP adress.
So we started looking. All our configurations seemed fine, we had changed nothing at the gateway.
After a while we realised that the sk40993 says: Update the licenses for the new IP Address of the Security Management Server - as in plural. Through the Licenses tab in smart console we found that the licenses of our gateways were connected to the old IP of the management server. We figured that we missed something and were supposed to update the licenses of the gateway too
So, there we went and got new licenses for the gateway from the User Center, loaded them into the Gateway - nothing happened and the users were still unable to work. This was 5 hours into the workday, our support had raised a ticket with checkpoint but we hadn't heard back, a rollback was considered but due to the strangeness of the problem we were unsure if it would solve the problem. Our support gave us some bla about certificates which didn't help either.
Then we discovered that we actually had a constant 10 users connected via VPN. Shortly after we found an article which stated that without a valid license the gateway can have 5 VPN Users (why 10 you may ask? we dont know. maybe because we have a cluster?). So we updated the license, but were still without license?
In our desparation we decided to get a "All feature" eval license and uploaded it into our VPN gateway. Voila, 10 seconds later the users were successfully conecting.
That is our state now. We are still waiting to hear back from CP support and hope we will have a session soon, to figure out what had happened and how to get back to a normal state, i.e. with real licenses.
Did anybody else ever encounter a similar problems?
How did you handle it?
Can anybody explain what happened here?
I'll let you know, if we get any information concerning the cause.
Cheers
D