This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mkushner
Participant
‎2021-12-07 02:19 AM

Office Mode IP allocation for VPN users from DHCP server

Hi,

While implementing OM IP allocation for VPN users, we discovered an issue with having a DHCP server allocate IP addresses.  We are running R81.

We have a pair of  Windows DHCP servers which distribute IP addresses to all different clients in the LAN (telephones and computers).

Checkpoint only allows defining one DHCP server in Office Mode configuration.  We chose one of the DHCP servers, but noticed that some users were not able to receive IP addresses (error appears on client and in logs).  When we switched to second DHCP server, clients that were able to receive from first server were now not able to have IP address allocated.

It was not consistent.  Some users did succeed. Others did not.

 It took a while, but we found the cause of the problem:

https://get-cmd.com/?p=3471

 In DHCP failover, the client messages which are broadcast are received by both the DHCP failover servers. However, only one server responds to the client messages. In case of load balance mode, the servers will hash the MAC address of a DHCP client to establish which of them must respond. In hot standby mode, only the active server responds. In both cases, the DHCP server which does not respond to the client logs this message in the audit log.

 If the hash of the laptop belongs to the server not defined in the firewall, then IP allocation will fail.

For now, we have removed the scope from the second DHCP server, such that only one server will allocate IP addresses for the VPN OM scope.  This server is defined in Firewall OM configuration.

There is a "hotstandby" option where the second DHCP will take over the scope only if the primary server fails.  However, the IP address of the DHCP in the firewall will still need to be changed manually.  We haven't found a fully automatic solution.

Note:  When we configure DHCP Relay Addresses for LAN DHCP allocation, we configure both  DHCP servers.   Since both receive the request, both will hash the MAC address and decide if to answer or not.  It is not possible to configure two DHCP ervers in Office Mode configuration.

Maybe a feature request for Checkpoint.

Hope this helps someone.

micha

4 Replies
PhoneBoy
Admin
Admin
‎2021-12-13 10:22 PM

This definitely sounds like an RFE.

Hrvoje_Brlek
Collaborator
‎2023-04-18 12:48 AM
In response to PhoneBoy

@mkushner @PhoneBoy any news on this question, can you check if any kind of RFE has been submitted?

We are facing the same situation, that's why we are still sticking to the CP built-in DHCP. and not migrating to Windows DHCP.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-18 01:42 AM
In response to Hrvoje_Brlek

If you have a similar requirement definitely talk to your local CP SE about raising an RFE to help support it.

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin
‎2023-04-19 10:39 AM
In response to Hrvoje_Brlek

Unless we happen to have knowledge of an RFE through other means (e.g. SK articles), the community team has no visibility into RFEs. 
The best course of action is to engage with your local Check Point office. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events