Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dt7
Participant

Office Mode IP allocation for RA VPN users using DHCP server does not follow scope lease

Dear community,

I am observing a strange behavior related to how our IP leases are behind assigned and renewed for RA VPN users. In our setup, we are using office mode with a DHCP server to allocate IP for RA VPN users, and the scope on that DHCP server is set with a lease of 8h for that office mode subnet.

However, I can see a lot of Mobile Access logs titled "IP Changed" showing that clients are renewing their IP every 7.5 mins, for all VPN users. The message on the log will mention "Assigned IP address for 900 seconds".

On the documentation(cf. https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...), it mentions that when using IP pools from the gateway, the lease is 15mins by default and that clients will try to renew at half the duration (so 7.5mins). Even though we are using DHCP and it should follow the lease of the scope, it seems like this default behavior is actually taking place in our case.

Even if the IP is renewed so often, it still remains the same for the client so I would say that the solution still works and users are not directly impacted by this. But I am not comfortable having the lease renewed every 7.5mins unnecessarily, especially since I am setting a lease via the DHCP scope and it should follow that theoretically. It is creating additional unnecessary traffic and using resources (CPU, etc.) for nothing much here.

I have attached a few screenshots showing and example of the "IP Changed" logs we see every 7.5mins, as well as the DHCP scope lease for reference.

Anybody would have an idea of what could be the root cause of this behavior?

Thank you.

 

 

 
 
 

 

 
 

 

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What version/JHF of gateway?
I suspect this will require TAC to assist, since it seems like this is a bug: https://help.checkpoint.com

0 Kudos
dt7
Participant

Hi @PhoneBoy ,

 

Cluster is running R81.10 JHF Take 109.

Management (MDS) running R81.10 JHF Take 109.

0 Kudos
PhoneBoy
Admin
Admin

Curious what your clients are seeing similar to here: https://support.checkpoint.com/results/sk/sk112069
(The "Lease Expires" part)
This SK suggests it may be "hard coded" but I'd get confirmation from TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events