This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeffgo
Contributor
‎2022-09-11 12:51 AM

Connection failed: Negotation with site failed

Dear

My version: R81.10,hotfix is T66

I configure the gateway as a vpn gateway,and the vpnn gateway location internal network,i mapping it by internet firewall.GW VPN port is 10443 on the visitor mode.

I test it,i can successfull connect to vpn on internal network.but i can not connect to vpn on internet.the connected informations as fowwowing:

11WX20220911-154952@2x.png
 

 

 

0 Kudos
17 Replies
_Val_
Admin
Admin
‎2022-09-13 02:47 AM

There can be tons of reasons for that, you need to see the logs both from the FW and the client for more details.

0 Kudos
Jeffgo
Contributor
‎2022-09-17 07:51 AM
In response to _Val_

Internal pc connect to vpn working well,but i map the vpn gw to internet with PAT,client can not working,I think this is checkpoint issue,

if need to see the gw logs,how to see the gw logs,thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-17 08:18 PM
In response to Jeffgo

Is some other device doing the NAT?
This probably won't work if so...

0 Kudos
Jeffgo
Contributor
‎2022-09-19 09:34 AM
In response to PhoneBoy

@PhoneBoy 

Thanks!

The topology:

internet-----CP 1550 fw------R81.10 virtual fw

cp-1550 is the edge firewall, R81.10 virtual fw is the internal vpn gw and is mapped with cp-1550 firewall

You said that this probably won't work,why?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-19 04:22 PM
In response to Jeffgo

What is the precise NAT configuration on the 1550?
Or if that device isn't doing the NAT, what is and what is its precise configuration?

What is the configuration on the R81.10 system with respect to Remote Access?
Did you configure Link Selection and the Visitor Mode port?
I'm fairly certain you cannot "PAT" the Visitor Mode port to a different port (e.g from 10443 to 443) because of how the client stores/validates this information.
If you set the Link Selection on the R81.10 gateway and the Visitor Mode port used to match what your clients actually connects to initially (which means Link Selection IP of 58.33109.55 and Visitor Mode port of 10443), it might work.
Without doing that, I would not expect it to work.

0 Kudos
Jeffgo
Contributor
‎2022-09-19 06:25 PM
In response to PhoneBoy

R81.10 vpn gw visitor mode port is 2443(I have modify the port from 10443 to 2443) and the 1550 map from 2443 to 2443.

Link selection ,i set the value "statically NATed IP:58.33109.55"

0 Kudos
the_rock
Legend
Legend
‎2022-09-20 04:40 AM
In response to Jeffgo

Would you mind attach screenshots of how this is configured? I think it would help us help you solve this. By the way, did it ever work or its brand new config?

Andy

0 Kudos
Jeffgo
Contributor
‎2022-09-22 02:17 AM
In response to the_rock

This is new config  and the configure as following:

 
  • Enable IPsec VPN

1.png

  • Enabled NATt by default

3.png

 

  • The visitor mode port is tcp2443

4.png

 

The belowing is the RemoteAccess community configuration 

 

5.png

 

6.png

 

 

0 Kudos
Jeffgo
Contributor
‎2022-09-22 02:33 AM
In response to Jeffgo

The attachment file is the  endpoint trac.log,i can not found any available error or alerts

trac.log.zip
0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-22 09:04 AM
In response to Jeffgo

Are you also port forwarding the NAT-T port (4500)?
Because that's where it looks like it is failing, if I'm understanding these debug logs correctly.

0 Kudos
Jeffgo
Contributor
‎2022-09-22 10:29 AM
In response to PhoneBoy

Yes,i also map the NAT-T port,but still can not connect successfull.

we can connect successfull when i disable the securexl both cp-1550 and R81.10.

0 Kudos
the_rock
Legend
Legend
‎2022-09-22 10:34 AM
In response to Jeffgo

You may wish to contact TAC and have them give you right flags to debug securexl or refer to below:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-22 10:48 AM
In response to Jeffgo

If disabling SecureXL "solves" a problem, contact TAC.

0 Kudos
Blason_R
Leader
Leader
‎2022-09-17 10:04 PM

This is SecureRemote - Have you tried enabling vpn debug and collect logs from client side? That should show the reason. Plus what is the VPN link selection IP address specified?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2022-09-19 10:43 AM

The guys definitely brought up all the good reasons. Enable debugs and also collect client logs. But, before all that, make sure all the office mode settings are correct on the gateway.

0 Kudos
Blason_R
Leader
Leader
‎2022-09-19 11:16 AM
In response to the_rock

I guess this might not work since the tunnel_test packet I believe might not be able to route back since its SecureRemote. Since firewall gives a fake IP address and here I believe firewall is behind nat device it would not know where to route the tunnel_test packet.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
(1)
the_rock
Legend
Legend
‎2022-09-19 11:39 AM
In response to Blason_R

Good point actually, I did not realize from that screen if was secureremote...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events