- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Office Mode IP allocation for VPN users from D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Office Mode IP allocation for VPN users from DHCP server
Hi,
While implementing OM IP allocation for VPN users, we discovered an issue with having a DHCP server allocate IP addresses. We are running R81.
We have a pair of Windows DHCP servers which distribute IP addresses to all different clients in the LAN (telephones and computers).
Checkpoint only allows defining one DHCP server in Office Mode configuration. We chose one of the DHCP servers, but noticed that some users were not able to receive IP addresses (error appears on client and in logs). When we switched to second DHCP server, clients that were able to receive from first server were now not able to have IP address allocated.
It was not consistent. Some users did succeed. Others did not.
It took a while, but we found the cause of the problem:
In DHCP failover, the client messages which are broadcast are received by both the DHCP failover servers. However, only one server responds to the client messages. In case of load balance mode, the servers will hash the MAC address of a DHCP client to establish which of them must respond. In hot standby mode, only the active server responds. In both cases, the DHCP server which does not respond to the client logs this message in the audit log.
If the hash of the laptop belongs to the server not defined in the firewall, then IP allocation will fail.
For now, we have removed the scope from the second DHCP server, such that only one server will allocate IP addresses for the VPN OM scope. This server is defined in Firewall OM configuration.
There is a "hotstandby" option where the second DHCP will take over the scope only if the primary server fails. However, the IP address of the DHCP in the firewall will still need to be changed manually. We haven't found a fully automatic solution.
Note: When we configure DHCP Relay Addresses for LAN DHCP allocation, we configure both DHCP servers. Since both receive the request, both will hash the MAC address and decide if to answer or not. It is not possible to configure two DHCP ervers in Office Mode configuration.
Maybe a feature request for Checkpoint.
Hope this helps someone.
micha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This definitely sounds like an RFE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have a similar requirement definitely talk to your local CP SE about raising an RFE to help support it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless we happen to have knowledge of an RFE through other means (e.g. SK articles), the community team has no visibility into RFEs.
The best course of action is to engage with your local Check Point office.
