Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Intermittency in remote VPN user connections

Hello, everyone.

We have an R80.30 running on an OPEN SERVER.

We have been having problems for several days now, in which, several users connecting to our company's VPN, mostly using the ENDPOINT SECURITY VPN agent, which is running on version E85 onwards, are "experiencing" problems of "outages and/or intermittency" in their connections.

The Hotfix package for this version is available in Take 237.

VPN users are AD users.

Is there an action plan that can be executed to help us determine whether or not the "intermittency" problem experienced by several users is the responsibility of the VPN solution?


Thanks for your support.

0 Kudos
14 Replies
the_rock
Legend
Legend

I have some experience in this, as I worked with few customers having similar issues. Here are my questions for you:

1) Does it ever happen that client(s) connect and then get disconnected after about 20 seconds?

2) Do you have option "keep ike sas" enabled in global properties?

3) When did the issue happen?

4) Do you have option enabled for anti spoofing on remote access tab under vpn in gateway properties?

5) When issue happens, can you run following command and see if you get anything -> fw monitor -e "accept port(18234);"

Cheers!

0 Kudos
Matlu
Advisor

Hello, Buddy

Regarding your inquiries.
I detail the following.

1) No. The experience of users regarding the "Intermittence" is normally in a range of hours, approx. between 12:00 pm to 16:00 pm, almost every day.

2) I do not find this option. Can you give me the route to get to this option? I am working with a Standalone R80.30 architecture.

3) The problem has been occurring for days. In the time range that I detail as "approx" in the point # 1

4) I can't find this option. Can you give me the route to get to this option? I'm working with a Standalone R80.30 architecture.

5) I have not yet tested this command when the users intermittency problem occurs.
I will try it, and I will share my evidence.

I hope you can support me with the answers.
Thanks for your support.

Regards.

0 Kudos
the_rock
Legend
Legend

K, bear with me, Im on my personal macbook air, so as stupid as this sounds, since I have no clue how to take screenshot on it (haha), will just send you the answers how to get to those options...

to get to keep ike SAs -> from dashboard upper left side menu -> global properties -> advanced -> configure -> vpn advanced properties -> vpn ike properties -> "keep ike sas" at the bottom

for other option -> double click gateway object in dashboard -> vpn clients -> office mode -> perform anti-spoofing (at the bottom)

Andy

0 Kudos
Matlu
Advisor

Hello, my friend.

I found both options, according to the detail you gave me.

I have both options disabled.

 

SSLVPN2.jpg

SSLVPN3.jpg

Having these options disabled, can it cause "INTERMITTANCE" problems?

If you activate these options, this can affect in something, the part of CPU, memory, etc?

My users, when they connect with AD user accounts, through the ENDPOINT SECURITY VPN.
Once connected to the VPN, they access their machine that is inside our network, by RDP.
It is at this point that, from one moment to another, they start experiencing problems with the VPN connections.
On "some" occasions the AGENT disconnects due to these problems, but this is not always the case.

To perform an UPGRADE from a STANDOALONE R80.30 to R81.10 environment, should we take into account the Hardware part of the Open Server?

Greetings.

0 Kudos
the_rock
Legend
Legend

Yes, as a matter of fact, having them disabled CAN cause intermittent issues, I had seen it few times. All you have to do is enable them and push policy. In R80+ code, all changes are saved, so you can always go back to previous policy revision if needed.

Also, I would upgrade to R81.10 and make sure to test newest E86.71 windows client or E86.70 if any user uses MAC. R81.10 has lots of vpn improvements, so it can only help you, plus, as phoneboy indicated, R80.30 is end of support, so getting any assistance from TAC would be very limited.

0 Kudos
Ranghel_02
Explorer

Hello, The_Rock
I am going to apply your recommendations, but I have a curiosity.

The Endpoint Security VPN agents, I understand to this day, that these agents by default work with the IPsec protocol, is that correct?

If I'm not mistaken, the IPsec version they use is the IKEv1 version.

Unlike other vendors, I have noticed that for all users it is "transparent" the fact that their agents are working with IPsec, because they only enter "User and Password". I guess this is Checkpoint's way of working.

A curiosity,
Can the practice of changing the IKE version be "valid" for the problem of intermittency?
That is to say, to work with IKEv2?
Do you think it is a valid option?

Greetings.

0 Kudos
PhoneBoy
Admin
Admin

The Check Point VPN client does not use IKEv2 currently, so this is a non-issue.
Having Keep IKE SAs disabled could cause an issue if you make policy changes regularly during when users are connected.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Matlu
Advisor

Hello,

As far as I understand, according to theory, the ENDPOINT SECURITY VPN Client, works by default with IKEv1 (This is transparent to all users), so far, so good.

My question is, is it possible to tell the Endpoints, from the Smartconsole, to work the clients installed in the PCs of the users, with IKEv2, to make a test, and validate if the problem of the "intermittence" in all the users, improves?

Thanks for your comments.

0 Kudos
the_rock
Legend
Legend

As phoneboy said, ikev2 would not work with endpoint...

Screenshot_1.png

0 Kudos
Matlu
Advisor

I understand.

The first 2 options, I did not "interpret" well.

The first option, I understand that even if we select it, the clients will not be able to connect.

It was a misinterpretation I think. haha

I am going to run anyway, as a test, your recommendations.

The VPN intermittency problem is a headache. 😥😔

Cheers.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Apple + Shift + 3 or 4 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I googled it after lol

0 Kudos
PhoneBoy
Admin
Admin

R80.30 is End of Support.
E85 Endpoint client is fairly old as well.
Probably a good idea to upgrade to a supported release on both ends.

0 Kudos
the_rock
Legend
Legend

phoneboy brings up a good point...definitely test newest VPN client, E86.71, worth a shot, just to rule it out.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events