Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DH
Participant

No Office Mode IP anymore since R81.10 take 45

Jump to solution

Today we updated a CP HA Cluster from R81.10 take 30 to take 45.

After the update the VPN Client throwed an error, that they are unable to get an OfficeMode IP at this time!

We use a DHCP server to get the IPs for the OfficeMode Clients. On the server are free IPs. The DHCP server works and I can see the requests to server in the log.

cpstop;cpstart & fwaccel off doesn't solve the problem.

But, after uninstall take 45 and use take 30 again everything works...

Any Ideas? 

0 Kudos
1 Solution

Accepted Solutions
DH
Participant

I got a hotfix from CP today as reponse to my ticket and it seems work...I'm able to login with VPN Clients in Office Mode again! 😀

The name of the hotfix: fw1_wrapper_HOTFIX_R81_10_JHF_T45_967_MAIN_GA_FULL

https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk178767

 

View solution in original post

24 Replies
the_rock
Champion
Champion

Hm, thats odd...I tested on mine and no issues with take 45 at all. Clearly, its an issue if you removed that jumbo and works again with 30. Was everyone having the same problem with take 45? Did you try different client versions? Its very hard to say what could have caused this after take 45 install, since you removed it since, so Im thinking even if you opened TAC case they would most likely ask you to replicate the issue, so it can be troubleshot further. 

Did you at least get any message logs or anything from the smart console when it was failing?

Andy

DH
Participant

We tested it with several Clients, but all E86.20 (this version is provided by the gateways...)
At the moment we have only downgraded one of the Cluster Node, so it may be possible to do quick tests on the other node, if we temporally switch the cluster...
In the SmartConsole Log I only see the Login Message of the user after that no additional messages for this user....

0 Kudos
the_rock
Champion
Champion

One thing that came to my mind was license, but it made no sense, since license would never change with an upgrade. Do you have screenshot of the error? lets do remote if you are available to show me the issue.

0 Kudos
DH
Participant

This the Error Message, which the user see after login. Regards the SmartLog the Login is successfull. 

error.png

The SmartLog Entries:

Failed Login (take 45):

failed_login.png

successful login (take 30):

successfull_login.png

Both are from the same client, only to the different Cluster Nodes...

0 Kudos
Danny
Champion
Champion

Did you try if an eval license helps to overcome the situation until TAC finished analyzing this?

0 Kudos
DH
Participant

No, why should it be a license problem? It was only a JHF installed, no new version or HW. With take 30 we didn't have any problems. And after uninstall take 45 we didn't have the problem anymore. We simply uninstall take 45 on the gateway and go back to take 30, no restore from backup.

By the way the gateways node still have a valid eval, because of HW replacing 10days before...

0 Kudos
Danny
Champion
Champion

Maybe there is a new enforcement mechanism introduced in the new GA Jumbo (JHF Take 45).
Testing an eval licence would have confirmed if it's a license issue or not.
Also using the latest GA Take follows Check Point's recommendation as described in the Jumbo Hotfix FAQ - sk98028:

GA_Jumbo_NEW.jpgGA-Jumbo.jpg

0 Kudos
the_rock
Champion
Champion

Highly unlikely, but I agree, worth a try.

0 Kudos
DH
Participant

Maybe an option, but I think for the moment take 30 is our workaround.
If there is a license problem because of wrong enforcement CP should be able to analyze and fix that fast. I didn't saw such information in the release notes.
My expectation about recommended JHF is, that they must not generate new license problems.
What runs before, must be able to run afterwards again. Such JHF should able to be installed automatically without worry what will be not work this time after install the recommended fix.

the_rock
Champion
Champion

You are correct. In perfect world, none of those things would ever happen and probably not many of us would have IT jobs if that were the case : - ). Anyway, glad it works when back on JHF 30, so personally, I would have TAC investigate with whatever info you generated during the issue.

Some related links:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://community.checkpoint.com/t5/Remote-Access-VPN/you-cannot-receive-an-office-mode-ip-address-a...

 

0 Kudos
DH
Participant

The SR is already opened, but I hope someone had already solved the problem before.😉

Wolfgang
Mentor
Mentor

@DH we have customeres reporting the same issue after installing Jumbo take 45.

tagging @Chris_Atkinson , please would someone from Check Point investigate.

0 Kudos
DH
Participant

Thank you for the information. So it seems it is not a problem which is specify to us.

0 Kudos
Chris_Atkinson
Employee
Employee

Please share any applicable SRs with me in private and I'll reach out internally.

Wouldn't be the first time I've seen seemingly "random" DHCP issues appear after upgrades so please triple check your policies conform to sk104114 section 4 or equivalent where appropriate to be safe.

@eranzo 

0 Kudos
the_rock
Champion
Champion

I dont know what to say, honestly...I tested this in lab, no issues. Customer also upgraded to same jumbo, no problems either.

0 Kudos
Naama_Specktor
Employee
Employee

Hi 🙂

My name is Naama Specktor and I am checkpoint employee ,

I will appreciate it if you will share the TAC SR# with me , here on n PM.

 

thanks!

Naama 

0 Kudos
GHaider
Participant

seeing the exact same behaviour on my cp cluster, my clients are on endpoint E86.25 and after install of JH 45 no office mode ip, after uninstall and back to JF 30 ist works again

 

...will update here when i get results out of the cp case...

0 Kudos
idants
Employee
Employee

Hi,

We are investigating this issue internally - I will update once we have any conclusion.

Thanks,

Idan Tsarfati.

R&D Group manager of IPsec VPN & HTTPs inspection.

0 Kudos
JohAicher
Explorer

Hi, we are also impacted - very bad situation!!!

Johann

 

0 Kudos
MatanYanay
Employee
Employee

Hi All

We identify the problem and working on a fix. Once the fix is ready we will publish SK with the relevant HF.

In parallel we are working to add the fix to the upcoming jumbo

The problem is scoped to Remote-Access Office-Mode with DHCP.

Thanks 

Matan.

D_TK
Collaborator

Matan,

Thanks for the update.  Can you confirm that RA office mode with ipassignment file is safe to apply take 45.

 

0 Kudos
MatanYanay
Employee
Employee

@D_TK 

The problem related only to DHCP, anything else should work

Matan

the_rock
Champion
Champion

I guess customer that I was helping with to install this jumbo got lucky, they never had any issues. I also tested it in my lab, never a problem.

0 Kudos
DH
Participant

I got a hotfix from CP today as reponse to my ticket and it seems work...I'm able to login with VPN Clients in Office Mode again! 😀

The name of the hotfix: fw1_wrapper_HOTFIX_R81_10_JHF_T45_967_MAIN_GA_FULL

https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk178767