We tested it with several Clients, but all E86.20 (this version is provided by the gateways...)
At the moment we have only downgraded one of the Cluster Node, so it may be possible to do quick tests on the other node, if we temporally switch the cluster...
In the SmartConsole Log I only see the Login Message of the user after that no additional messages for this user....

One thing that came to my mind was license, but it made no sense, since license would never change with an upgrade. Do you have screenshot of the error? lets do remote if you are available to show me the issue.

This the Error Message, which the user see after login. Regards the SmartLog the Login is successfull. 

The SmartLog Entries:

Failed Login (take 45):

successful login (take 30):

Both are from the same client, only to the different Cluster Nodes...

Did you try if an eval license helps to overcome the situation until TAC finished analyzing this?

No, why should it be a license problem? It was only a JHF installed, no new version or HW. With take 30 we didn't have any problems. And after uninstall take 45 we didn't have the problem anymore. We simply uninstall take 45 on the gateway and go back to take 30, no restore from backup.

By the way the gateways node still have a valid eval, because of HW replacing 10days before...

Maybe there is a new enforcement mechanism introduced in the new GA Jumbo (JHF Take 45).
Testing an eval licence would have confirmed if it's a license issue or not.
Also using the latest GA Take follows Check Point's recommendation as described in the Jumbo Hotfix FAQ - sk98028:

Highly unlikely, but I agree, worth a try.

Maybe an option, but I think for the moment take 30 is our workaround.
If there is a license problem because of wrong enforcement CP should be able to analyze and fix that fast. I didn't saw such information in the release notes.
My expectation about recommended JHF is, that they must not generate new license problems.
What runs before, must be able to run afterwards again. Such JHF should able to be installed automatically without worry what will be not work this time after install the recommended fix.

You are correct. In perfect world, none of those things would ever happen and probably not many of us would have IT jobs if that were the case : - ). Anyway, glad it works when back on JHF 30, so personally, I would have TAC investigate with whatever info you generated during the issue.

Some related links:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://community.checkpoint.com/t5/Remote-Access-VPN/you-cannot-receive-an-office-mode-ip-address-a...

The SR is already opened, but I hope someone had already solved the problem before.😉

Thank you for the information. So it seems it is not a problem which is specify to us.

Please share any applicable SRs with me in private and I'll reach out internally.

Wouldn't be the first time I've seen seemingly "random" DHCP issues appear after upgrades so please triple check your policies conform to sk104114 section 4 or equivalent where appropriate to be safe.

@eranzo 

I dont know what to say, honestly...I tested this in lab, no issues. Customer also upgraded to same jumbo, no problems either.

Hi, we are also impacted - very bad situation!!!

Johann

Hi All

We identify the problem and working on a fix. Once the fix is ready we will publish SK with the relevant HF.

In parallel we are working to add the fix to the upcoming jumbo

The problem is scoped to Remote-Access Office-Mode with DHCP.

Thanks 

Matan.

Matan,

Thanks for the update.  Can you confirm that RA office mode with ipassignment file is safe to apply take 45.

@D_TK 

The problem related only to DHCP, anything else should work

Matan

I guess customer that I was helping with to install this jumbo got lucky, they never had any issues. I also tested it in my lab, never a problem.