Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Gateway's fingerprint changes randomly during a SSL VPN

Hello friends,

We are facing a very odd behaviour with a customer gateway related to a SSL VPN with SNX and I'd like to get some feedbacks from you.

Sometimes, at the beginning of the connection, we get a "Gateway fingerprint verification failed. Please contact your system administrator" and the connections attempt is terminated (see attached image)

In other situations, some user is able to connect successfully, but after some random time (something between 10 minutes and 2 hours) a popup window is shown with "Gateway's fingerprint has changed..." (see attached image) and the connections is broken after the user click to yes (or no). This keep happening systematically with several users, but not all.

What is very odd:

- This seams to be initiated after a URL change in the Mobile Access portal. eg.: changed from vpn123.acme.com to vpn.acme.com. As the certificate configured is a wildcard (eg. *.acme.com) there wasn't needed to swap for another one.

- The old fingerprint, which is the correct fingerprint, is exactly the same shown in the gateway properties, Mobile Access > Portal config.

- The new fingerprint appears to be random (we got at least 3 fingerprints values). I searched for them on the GuiDBEdit, but there isn't any gateway associated with them.

- Revert the URL back to the old configuration doesn't solve the problem.

- Some users neve get the problem.

We already have a SR opened with TAC, but with anyone got this in the past, I'd really like to hear from.

 

Best regards

old-new-fingerprint.pngfingerprint-verification-error.png

 

3 Replies
PhoneBoy
Admin
Admin

The only reason I can see the fingerprint changing is: the gateway certificate changes, or there is a "man in the middle" performing HTTPS Inspection that is presenting a new certificate to the client/
Since you've confirmed it's not the former, it must be the latter.

jgarcias
Participant

Hello,

In my case it's the HTTPS Inspection on the gateway that causes that "issue".

I would like to ask a question:

I have endpoint security client deployed in almost all corporate laptops. Actually I'm enabling HTTPS Inspection in some VLANs. What I can see is that everytime the user is in the office in a VLAN with HTTPS Inspection the fingerprint message show up and when they go home or they are in a VLAN without HTTPS Inspection, the fingerprint show up again because it's different.

This situation leads to an endless fingerprint message acceptation for the customers due to HTTPS Inspection.

It's any way to avoid the fingerprint message to show up everytime in my case?

 

Thanks.

0 Kudos
CheckPointerXL
Collaborator

hello phoneboy,

in my case fingerprint changed after an upgrade. it is normal?

all vpn clients had to re-trust the certificate after upgrade from r81 to 81.10

0 Kudos