This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2023-01-10 04:47 AM

Accessing internal sites by fqdn/IP address when connected via vpn capsule app / macbooks on BigSur

Hey guys,

I really hope someone can help me solve this issue for the customer, as it has been going on for last almost 2 years and we had at least 4-5 TAC cases without any resolution and there is one open presently, but I feel like its going to go nowhere again (sadly).

Here is the gist of it...when I initially worked with customer before CP was even in production, as they are mostly Mac shop (they have maybe 10% windows computers), TAC escalations suggested them to use IA agents back then to solve this issue, as AD server was not sending proper events to the firewall to enforce right identities via IA blade/access roles. Now, this was great and it did work, BUT, what ended up happening eventually was that when their Macbooks were upgraded from OS Catalina to BigSur, even when connected with IA agents, it only works randomly, and sometimes does not even work with IP address, let alone fqdn when trying to access one of their few hosted internal websites.

To make situation worse, as there is no IA agent app for Iphones, when using VPN capsule to connect, yes, connection works fine, but then you cant resolve anything internally by fqdn and IP works maybe 20-30% of the time.

TAC had us do captures, we collected logs, but its not clear at all why it fails. I reviewed them myself and even from my work laptop, which works fine when connected to their VPN, when I access one of their internal sites, I see bunch of TCP retransmissions in the wireshark.

Windows machines used to work 100% of the time WITHOUT IA agent, but at this point, even that is super inconsistent.

To clarify, when their Macbooks were on catalina OS, they could resolve everything fine by IP or fqdn internally when connected on VPN WITHOUT having to connect IA agent.

@PhoneBoy , I feel you being MAC guru, are the last hope for solving this issue permanently : - ).

Just as a test, I even disabled vpn accel and sxl off and it did absolutely nothing.

TAC asked us to install jumbo 81 on top or R81.10, but I feel that was more to buy time (I already knew that was not going to do anything).

Thanks as always for the help/suggestions.

So I dont forget, multiple TAC people reviewed their IA config and found noithing wrong with it. Also, for context, when their iphones were on 15.xx version, all this worked just fine by fqdn/IP address, but as soon as they were upgraded to 16.xx, everything stopped working.

I looked on the support site and could not find any compatibility issues.

Cheers!

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-01-10 06:03 AM

When I've had issues with DNS on the Mac VPN client (which was a while ago), I would go into the TCP/IP settings in macOS and clear the DNS settings.
They would get reset to the correct values and things were working again.
I certainly haven't seen on current versions of the client/macOS (E86.50 on Monterey).

However, it sounds like you have two separate issues:

  • Identity Agents not working on macOS
  • VPN clients (on Mac and iOS) can't properly resolve DNS

This warrants two different TAC cases.

0 Kudos
the_rock
Legend
Legend
‎2023-01-10 06:05 AM
In response to PhoneBoy

K, thats fair, BUT, how would you do that on iphones? I even tried with google dns and no difference.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-01-10 07:46 AM
In response to the_rock

Curious do they notice a difference on iPhones with / without Wi-Fi assist disabled?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-01-10 07:55 AM
In response to Chris_Atkinson

Hey Chris,

No difference whether thats on or off, same issue.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-01-10 06:36 AM
In response to PhoneBoy

Btw, checked with customer and they said clearing DNS was tried many times before and sadly, no luck.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events