This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sreingardt
Contributor
‎2023-03-13 12:52 AM
Jump to solution

Connection to external AD broken after changing external gw IP

Hi guys,

I have a problem with my Security Gateway since I changed the external IP last Friday and all network configuration (default gw, routes, etc) were done. I tried to login with my certificate in Check Point Mobile for Windows client and it got stuck at 47%. The error message reads

OCSP: could not connect to server. Make sure the server is up and running.Email=(my e-mail),CN=(my CN in certificate)

We use a two-step login for VPN, first we check an external certificate with password and then we request the AD password for the user in the certificate.

The information on this error message is very sparse, so I have not been able to continue my search for a solution.

Has anyone had that message in the past or know how to search further?

 

Thank you.

Sascha

Labels
0 Kudos
1 Solution

Accepted Solutions
sreingardt
Contributor
‎2023-03-21 12:34 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

I finally found the solution and would like to share my experience.

With vpn debug on ocsp=5 I found connection entries to an external ocsp provider ocsp.globalsign.com in the vpnd.elg  logfile and the gateway tried to connect to the destination via a proxy. This felt strange to me because I have a gateway that points to the internet but wanted to use an additional proxy. The proxy entry came from the Global Properties and was inherited by the gateway by default. Unfurtunately, the gateway was not in the proxy whitelist.

By that OCSP was not reachable and the vpn connection stuck. I set an override for the proxy configuration in the properties of the gateway and everything worked fine after that.

Thank you for your support.

Regards Sascha

View solution in original post

0 Kudos
13 Replies
_Val_
Admin
Admin
‎2023-03-13 02:58 AM
Jump to solution

I assume your GW has the object set up with the new IP address, and the policy pushed. 

It sounds like your VPN client is still trying to connect to the old GW IP address. Try setting up a new VPN site with the new IP address and see if you succeed

0 Kudos
sreingardt
Contributor
‎2023-03-13 03:29 AM
In response to _Val_
Jump to solution

Hi _Val_,

yes we have changed the object und pushed the policy.

I have set up a new site after the configuration changes and the VPN client pulled the policy/profile from the site. If I forgot to change the client I would get Site not responding or else.

Regards Sascha

0 Kudos
_Val_
Admin
Admin
‎2023-03-14 12:54 AM
In response to sreingardt
Jump to solution

So, if you define a new site, everything works?

0 Kudos
sreingardt
Contributor
‎2023-03-14 01:51 AM
In response to _Val_
Jump to solution

Hi _Val_,

unfurtunately no. I have a new site for the new VPN gateway IP, but that was not the problem.

0 Kudos
_Val_
Admin
Admin
‎2023-03-14 04:40 AM
In response to sreingardt
Jump to solution

I see. Please open a service ticket with TAC for this

0 Kudos
sreingardt
Contributor
‎2023-03-14 04:59 AM
In response to _Val_
Jump to solution

Ok I will do that, thank you for your support.

0 Kudos
sreingardt
Contributor
‎2023-03-13 05:02 AM
In response to G_W_Albrecht
Jump to solution

Hi,

we are not using URL Filtering or HTTPS inspection on the gateway.

The VPN connection worked all fine before we changed the interface IP. It would probably work if we clean-install the gateway, but I hope that the solution could be easier than that.

Regards Sascha

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-13 10:27 AM
Jump to solution

The client needs to be able to reach the management server in order to validate the VPN certificate.
This is done via CRL and/or OCSP.
Please double check the NAT configuration for your management object, which may need to be different to account for the new external IP of the gateway.
It's also possible you need to delete and re-add the site on your VPN client.

0 Kudos
sreingardt
Contributor
‎2023-03-14 12:44 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

the VPN gateway connects directly to my external ldap server, so I use a NAT on the gateway. The rule is a very common static source NAT like VPN gateway object to ldap server port ldap - translated source: other source IP for VPN gateway.
But that NAT only affects the internal interface and not the external.

@PhoneBoy wrote:

It's also possible you need to delete and re-add the site on your VPN client.

What do you mean by that? If I change my NAT configuration do I have to delete the site or if I change the external IP?

Regards Sascha

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-14 07:38 AM
In response to sreingardt
Jump to solution

Unless your management server has a public IP address, NAT is required for your clients to access it.
What is the precise NAT configuration on the management server object?
If it is tied to the external IP of your gateway, you may need to delete and re-add the site.

0 Kudos
sreingardt
Contributor
‎2023-03-21 12:34 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

I finally found the solution and would like to share my experience.

With vpn debug on ocsp=5 I found connection entries to an external ocsp provider ocsp.globalsign.com in the vpnd.elg  logfile and the gateway tried to connect to the destination via a proxy. This felt strange to me because I have a gateway that points to the internet but wanted to use an additional proxy. The proxy entry came from the Global Properties and was inherited by the gateway by default. Unfurtunately, the gateway was not in the proxy whitelist.

By that OCSP was not reachable and the vpn connection stuck. I set an override for the proxy configuration in the properties of the gateway and everything worked fine after that.

Thank you for your support.

Regards Sascha

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-21 07:40 PM
In response to sreingardt
Jump to solution

Thanks for sharing the solution.
That would certainly cause an issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top