This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Wednesday
Jump to solution

Office mode DHCP method failure

Hey guys,

Just wondering if there might be something simple missing for office mode failing with dhcp server method ip allocation. We even replicated this in the lab (on R82 mind you), though customer is on R81.20 jumbo 92. 

We followed below steps, but no luck.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

When we try in the lab, it simply says "Connection failed. you cannot receive office mode IP address at this time, try to connect again"

There is an sk on support site about this exact error, but all it says its fixed in certain versions, which customer is on anyway.

Any clue what might be the fix? I even verified the connection in the lab back and forth from dhcp server, tried different VIP, no joy.

Tx as always! I attached some screenshots for this as well.

Andy

Preview file
126 KB
Preview file
43 KB
Preview file
27 KB
Preview file
29 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
Friday
Jump to solution

I am fairly positive at this point issue is with DHCP server, as we never see any replies when I run tcpdump from the firewall. Im just not sure what is missing, but we will work with TAC to see if we can figure it out.

Best,

Andy

View solution in original post

0 Kudos
13 Replies
AkosBakos
Leader Leader
Leader
Wednesday
Jump to solution

Hi Andy,

As I see everybody is in Vienn on  CPX25 🙂

Akos

----------------
\m/_(>_<)_\m/
(1)
the_rock
Legend
Legend
Wednesday
In response to AkosBakos
Jump to solution

Been some time since I been there 😉

Hope everyone is well brother.

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
Jump to solution

I did also try below things:

-rebooted the fw

-deleted/re-created the site

-completely reconfigured vpn blade from scratch

For what its worth, though not sure it would matter much here, my lab is R82 standalone, but customer has R81.20 distributed environment (mgmt + clusterXL)

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to the_rock
Jump to solution

Also, not sure what to make of below logs, as Im simply testing local user, which appears is authenticated, but just cant get an IP address. I may do some captures on the dhcp server tomorrow and see why that is...

Andy

**********************************

 

[Expert@R82:0]# vpn debug trunc
[Expert@R82:0]# vpn debug ikeon
[Expert@R82:0]# vpn debug ikeoff
[Expert@R82:0]# grep -i andy $FWDIR/log/vpnd*
[Expert@R82:0]# grep -i andy $FWDIR/log/ike*
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:02] fetch_user_wrapper_cb: got cached username: andy, going to check object is still the same
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:02] GetUserCnFromDn:: illegal DN given as user name andy
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:02][tunnel] IkeSAFromState: User andy saved
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:02][tunnel] InitXAuthSendLast: Message: User andy authenticated by FireWall-1 authentication
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:02] fetch_user_wrapper_cb: got cached username: andy, going to check object is still the same
/opt/CPsuite-R82/fw1/log/iked2.elg:[iked2 16955 4072612352]@R82[5 Feb 22:55:07][tunnel] dhcp_bind_callback: Could not bind an IP address for user andy
[Expert@R82:0]#

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Thursday
In response to the_rock
Jump to solution

https://support.checkpoint.com/results/sk/sk116957 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
Thursday
In response to G_W_Albrecht
Jump to solution

Thank you, will check the scenarios later.

Andy

0 Kudos
the_rock
Legend
Legend
Thursday
In response to G_W_Albrecht
Jump to solution

Hey Guenther,

Just went through all the steps, but none of them really apply to R82.

Andy

0 Kudos
the_rock
Legend
Legend
Thursday
Jump to solution

I also tried adding specific mac address of the machine I was connecting from in allow list on dhcp server, same issue.

Andy

0 Kudos
the_rock
Legend
Legend
Friday
Jump to solution

Appears issue is in dhcp server end, though I followed exact guide how to set it up.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Friday
In response to the_rock
Jump to solution

The same as it ever was...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
Friday
In response to G_W_Albrecht
Jump to solution

I hear ya, I just cant figure out why its failing. Customer gets exact same error and they even verified with MS support its 100% configured right.

O well, it is what it is I guess...we will open TAC case about it and I will report on results. If we can get it working in R82 lab, I would be very happy with that.

Thanks brother.

Andy

0 Kudos
the_rock
Legend
Legend
Friday
Jump to solution

I am fairly positive at this point issue is with DHCP server, as we never see any replies when I run tcpdump from the firewall. Im just not sure what is missing, but we will work with TAC to see if we can figure it out.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
2 hours ago
Jump to solution

Hey guys,

Just to give quick update on this...we have call with TAC today to see if we can fix this issue in my R82 lab. I will provide feedback once we speak to an engineer.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events