Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AS2021
Contributor
Jump to solution

Endpoint Security VPN | Comparing VPN Authentication Slowness: 1470 vs 1570 Models

Hi folks,

Why does setting up MFA on Appliance 1570/1590 result in a 25-second delay before the MFA page appears after entering the username/password, whereas on model 1470/1490, it only takes 5 seconds? Both appliances utilize the same RADIUS server. What could explain this discrepancy, and what troubleshooting steps could be undertaken to address it?

0 Kudos
1 Solution

Accepted Solutions
AS2021
Contributor

Hi again,

We were able to find a solution to our problem. We discovered that there were two different behaviors from Model 1470 with Version 77.20 and the embedded version of R81.10 on model 1570. Although the setup was identical on both models, the delay on authentication was caused by model 1570 checking authentication with LDAP first.

To resolve this issue, we ensured that the firewall never asked for LDAP and went directly on radius by selecting a single LDAP AU in the 'User Directory' and then setting the priority to 1001. This ensured that the firewall did not use that server, which resolved our issue. As a result of this solution, we are now able to connect to VPN almost instantly. sk174664

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

What version(s) of firmware are involved here?

0 Kudos
AS2021
Contributor

1570/1590 : R81.10 Slow

1470/1490 : R77.20 Normal

Both use the same radius server.

MS - MFA authentication.

0 Kudos
PhoneBoy
Admin
Admin

Which R81.10?
Which R77.20?
Both have a dot number after the version.
Are the SMBs managed through a Smart-1 (Cloud or on-prem) or via local interface/Infinity Portal?
Also, which versions of the VPN client are used?
Did you take packet captures while the user authenticates to see if the traffic looks different between the two?

I suggest engaging the TAC here as this is the first time I've seen such an issue reported.
https://help.checkpoint.com 

0 Kudos
AS2021
Contributor

Hi again,

Thank you for checking in.

I have created a case with TAC to investigate this issue. It's a stange case, so we need to capture the traffic to identify any unusual behavior.

The firewall version is R81.10.10 (1570), while the endpoint client is E88.20 on Windows. The SMBs are managed on-premises via S2S VPN, and the RADIUS server is also behind the VPN.

 

I will update you as soon as we find something.

 

0 Kudos
AS2021
Contributor

Hi again,

We were able to find a solution to our problem. We discovered that there were two different behaviors from Model 1470 with Version 77.20 and the embedded version of R81.10 on model 1570. Although the setup was identical on both models, the delay on authentication was caused by model 1570 checking authentication with LDAP first.

To resolve this issue, we ensured that the firewall never asked for LDAP and went directly on radius by selecting a single LDAP AU in the 'User Directory' and then setting the priority to 1001. This ensured that the firewall did not use that server, which resolved our issue. As a result of this solution, we are now able to connect to VPN almost instantly. sk174664

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events