This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
emiev_av
Explorer
2 weeks ago

Capsule VPN tries to use SSL after IPSec connection timeout

Hello, friends!

A small number of users have encountered an issue where after reaching an inactivity timeout of 15 minutes, reconnection fails and the VPN client hangs in reconnection status.

While reading the logs, I noticed an interesting behavior where after an IPSec session is timed out, the application tries to establish SSL connection. Is this behavior normal?

I will attach a part of the debug file where the real IP addresses are replaced with random ones.

Preview file
31 KB
0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
2 weeks ago

What is the client OS used?

Automatic Reconnect
• On – When connectivity is broken, the application tries to reconnect as long as there is network available.
• Off – When connectivity is broken, the application tries to reconnect for 120 seconds. After this time, the application disconnects from the VPN site.
You can select the Off setting to use less battery on the device.

Custom Data Fields
These are the keys that can be used in the Custom Data screen:
• tuntype - possible values: kmp (IPsec tunnel) or snx (SSL tunnel)

CCSM R77/R80/ELITE
0 Kudos
emiev_av
Explorer
2 weeks ago
In response to Chris_Atkinson

Both iOS and Android

0 Kudos
emiev_av
Explorer
2 weeks ago
In response to Chris_Atkinson

@Chris_Atkinsonthank you for your response. What's interesting is that I don't see any issues on the majority of clients that are installed on both Android an iOS. The logs I uploaded earlier, for example, are from an Android device.

Is there any documentation that provides instructions as to how to make the changes? I have not been able to find any information on the internet. I need to apply tuntype for Androin and iOS. Could you please give more information about Custom Data? And does the Capsule client really automatically switch to SSL if it fails on IPSec?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 weeks ago
In response to emiev_av

There are two knowledge articles that link to the admin guide but the links are broken, have requested they be fixed.

I'll aim to attach an old version of the guide and provide the SK details when I'm back in front of a PC.

Refer: sk105462, sk107536

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 weeks ago
In response to emiev_av

Attached as promised the version from my archive.

CCSM R77/R80/ELITE
Preview file
772 KB
0 Kudos
emiev_av
Explorer
Friday
In response to Chris_Atkinson

Thanks for providing the documentation and SK. In adminguide it says: “You can set the VPN tunnel type to IPsec or SSL for the client”. Very interesting, can the app spontaneously change the tuntype value, in case of a failed connection over one vpn type? I didn't find such information in the provided documentation, but in the logs it looks like this scenario is happening

0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to emiev_av

If there are connectivity issues using UDP 4500 (NAT-T), the client will switch to Visitor Mode (TCP 443).
This is known, expected behavior.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events