This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2024-02-20 01:09 PM
Jump to solution

Check Point "Reconnecting to site" timeout?

Hey guys - 

 

Running R81.20

Check Point Mobile client E87.x

Is there a way to control how long the Check Point Mobile Client will attempt to reconnect to a site after its network is pulled out?

Currently, if I connect to a site, and then turn off my WiFi, the Check Point client no longer says "Connected" and will just spin saying "Reconnecting to site (my site)".

The only setting I found is in SmartDashboard:

  • Disconnect idle sessions after is the disconnection time-out if the connection remains idle. The default value is 60 minutes. When users connect via SSL Network Extender, this timeout does not apply.

What does this mean exactly?

 

I'm looking for the Check Point Mobile client to time out if it can't connect to a network.  If the CP client times out, I'm hoping to see if there is an event generated that we can log and audit.

 

 

 

Thanks guys!

 

 

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-02-23 05:54 AM
In response to Joe_Kanaszka
Jump to solution

I think that would make sense, yea. Ah, so its a full tunnet, gotcha. You may want to ask TAC if those guidbedit settings I showed you in previous response would apply to mobile access as well or ONLY endpoint connect vpn client.

Best,

Andy

View solution in original post

11 Replies
Lesley
Authority Authority
Authority
‎2024-02-20 01:31 PM
Jump to solution

I think only these 2 parameters you can change. Turn it off or on. And interval in minutes for each retry

https://support.checkpoint.com/results/sk/sk75221

  • neo_always_connected
    Description: Client should always try to connect when network is detected.

    Type Valid values Default value Available from Available on
    string true / false true E80 Windows, macOS
  • neo_always_connected_retry
    Description: Time interval in minutes between each trial to connect when always-connect is set to true.

    Type Valid values Default value Available from Available on
    integer period of time in minutes 1 E80 Windows, macOS
-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Joe_Kanaszka
Advisor
‎2024-02-21 07:51 AM
In response to Lesley
Jump to solution

Good Morning Lesly and thank you!

 

What does this setting do - I'm still not sure of its purpose:

 

SmartDashboard:

  • Disconnect idle sessions after is the disconnection time-out if the connection remains idle. The default value is 60 minutes. When users connect via SSL Network Extender, this timeout does not apply.

Please see screenshot below:

What is considered an idle session?

 

Thanks again!

0 Kudos
Joe_Kanaszka
Advisor
‎2024-02-21 07:52 AM
In response to Joe_Kanaszka
Jump to solution

Screenshot 2024-02-21 105114.jpg

0 Kudos
the_rock
Legend
Legend
‎2024-02-21 07:59 AM
In response to Joe_Kanaszka
Jump to solution

Hey brother,

You can confirm 100% via TAC case, but Im 99% sure it does exactly what it would do for endpoint connect for the setting below in guidbedit.

Best,

Andy

 

 

Screenshot_2.png

0 Kudos
Joe_Kanaszka
Advisor
‎2024-02-23 05:18 AM
In response to the_rock
Jump to solution

Hey Andy - Happy Friday!

Apologies for the late response - I was working on another issue yesterday.  

Thank you for the screenshots and explanation above.  I still have a question though.  What is considered "Idle"?  If the user does not touch their mouse - kinda like your "presence" is inactive on the client computer?  

Or does "Idle" mean the Check Point Mobile client is not connected to a network and is "idle"?

0 Kudos
the_rock
Legend
Legend
‎2024-02-23 05:32 AM
In response to Joe_Kanaszka
Jump to solution

Happy Friday my friend!

By idle, it simply means people either walk away from their comp (laptop) OR they are on it, but they do NOT connect to anything inside the network via VPN. K, so lets take this example...say person has 1 hour lunch and they decide, I wont go out, take a walk or I dont feel hungry, I will simply sit at my machine and browse the Internet. That alone would be considered "idle", as they are not working on anything inside the network, simply using their ISP to browse the Internet, as I assume you would have split VPN tunnel.

Best,

Andy

0 Kudos
Joe_Kanaszka
Advisor
‎2024-02-23 05:43 AM
In response to the_rock
Jump to solution

OK - I got ya.  

So after the default idle timeout, according to my settings of 60 minutes, the VPN session should be disconnected.

This does not work in my environment.  We are not configured for split tunnel.  All internet activity gets intercepted by our proxy server over the VPN.  So the user is always "on NET".

If the user walks away and goes to lunch, sometimes they are away from their computers for more than 60 minutes, but their sessions are not disconnected. I'm guessing this is due to all the background traffic going back and forth between the WFH user and the internal work network.

 

Am I correct?

 

Thanks again Andy!

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-23 05:54 AM
In response to Joe_Kanaszka
Jump to solution

I think that would make sense, yea. Ah, so its a full tunnet, gotcha. You may want to ask TAC if those guidbedit settings I showed you in previous response would apply to mobile access as well or ONLY endpoint connect vpn client.

Best,

Andy

Joe_Kanaszka
Advisor
‎2024-02-23 06:12 AM
In response to the_rock
Jump to solution

Cool.  Thanks again Andy - much appreciated!

0 Kudos
the_rock
Legend
Legend
‎2024-02-23 06:20 AM
In response to Joe_Kanaszka
Jump to solution

For you bro...no...well you know the rest 🤣🤣

Best,

Andy

(1)
the_rock
Legend
Legend
‎2024-02-20 02:09 PM
Jump to solution

Hey bro,

Yes, the sk Lesley gave is also what I would follow.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events