Re: CheckPoint Mobile Ike Cert error

Dale_Lobb · ‎2022-09-15

I have a pair of 1550s clustered through ClusterXL serving as a remote access gateway for a small group of users. The remote users are all using the CheckPoint Mobile client.

The 1550 SMB cluster is running R80.20.35. These are centrally managed devices, so upgrade to R81 is not possible, yet.

What we see is that after 4 to 8 days of use, all the mobile clients will start throwing an error when they try to set up the VPN tunnel. The error is:

Connection Failed, VPN-1 server could not find any certificate to use for IKE

The simple work-around we have discovered is to push policy to the 1550 cluster. No changes are required, merely push the policy. The mobile clients all start working immediately again after the policy push is complete.

One oddity about this setup is that the cluster is not using an IPSec certificate from the management server's internal CA. We have instead loaded a cert from the public CA (Sectigo) for this purpose, so that external clients can use the DNS name of the external cluster VIP rather than be required to use IP address for connections.

Has anyone seen anything like this before?

the_rock · ‎2022-09-15

Not to sound like a stupid question, but, did you make sure vpn cert on the fw is good?

Andy

Best,
Andy

Dale_Lobb · ‎2022-09-15

Yes, assuredly. The cert is good until 4/15/2023. And it does work for days at a time to over a week at a time. BTW: The VPN cert is the "Oddity" I mentioned originally.

Ah, unless you meant the remote side. The remote side is using the CheckPoint Mobile client, which I assume has a cert that it creates upon installation.

Thanks for the reply!

Dale

the_rock · ‎2022-09-15

As long as any relevant vpn certs are valid, thats all I was wondering. When did this start happening?

Best,
Andy

PhoneBoy · ‎2022-09-15

All the various SKs on this suggest the certificate is expired and needs to be renewed.
Perhaps the certificate gets "lost" along the way and a policy install restores the certificate.
This definitely requires a TAC case.

the_rock · ‎2022-09-16

The more I think about it, more I agree with @PhoneBoy . I cant say I had ever seen issue like that with vpn cert in my 15 years dealing with CP...I had seen case where if you click on vpn cert, it says that its either corrupted or some database related error, but never have I encountered a case like yours. I think TAC case might be your best bet, as they may suggest further debugging to see what is causing this. It honestly makes no sense to me that policy push would cause this to go away.

Just to be 100% sure, when you click to view VPN cert, it does not give any warning or error?

Andy

Best,
Andy

kaz · ‎2022-11-08

Did you end up opening a case on this? We renewed our VPN cert just about a week ago (first time in a few major revs) and we saw the same behavior today, and it seems to have subsided after a policy install, even though it's not the first policy install since last week.

PhoneBoy · ‎2022-12-06

I believe this is related SMB-16203.
Which suggests an upgrade would solve the issue (if you haven’t already done so).

Dale_Lobb · ‎2022-12-06

SK 159772 states that SMB-16203 was resolved in R80.20.35 Build 2577. We are running R80.20.35 Build 992002613 and the issue is still present.

@kaz , yes, I did open a TAC case which has been researching the issue for a while. Recently, the TAC engineer took a copy of our management to rebuild our setup in his lab. The case number is: 6-0003416826 if you need to reference it.

DTI · ‎2023-02-10

Hello;

I have identical issue also with Sectigo cert bundled into .p12 store.
Have you find any solution?
The portal works fine and the cert is valid, only when I try to connect with ssl client i have the same error as you have shown on the screenshots on the top of this topic.

Are you a member of CheckMates?

CheckPoint Mobile Ike Cert error