This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RickyDan
Contributor
‎2021-11-04 08:29 AM

Randomly losing VPN connection in Harmony Endpoint/Sandblast

Some users are randomly losing VPN connection while working from home and the only fix is to restart the computer.

Harmony Endpoint version is 84.50.7526. Windows versions are from 1909 to 20H2 with different hardware (Dell/Acer).

The standalone VPN clients continue to work perfectly with no dropouts or issues so I do not suspect the gateways are at fault in any way. Packet captures (tcpdump/fw monitor) showed that absolutely no traffic was hitting the gateways. This issue only happens with the Harmony Endpoint suite.

Anyone else experiencing this and has a resolution?

0 Kudos
16 Replies
the_rock
Legend
Legend
‎2021-11-04 12:26 PM

I recall one customer having this problem, but maybe not exactly the same as what you described. So if you run fw monitor on the firewall and filter on port 18234 (tunnel test), you dont see anything at all? I know what we asked them to do after extensive TAC troubleshooting was to change sleep timer settings on their laptops to "never" and that did actually help largely. Is this something it had been happening since the beginning with sandblast?

0 Kudos
RickyDan
Contributor
‎2021-11-04 12:34 PM
In response to the_rock

Yea one user reported it the following day after installing Sandblast. 

I will repeat fw monitor with that port and update with the results. I only did it with src/dst IP addresses.

I'll also try the sleep setting and see if that has a noticeable impact.

the_rock
Legend
Legend
‎2021-11-04 12:37 PM
In response to RickyDan

Just run below on firewall from expert mode when issue is happening:

 

fw monitor -e "accept port (18234);"

 

0 Kudos
RickyDan
Contributor
‎2022-03-09 07:36 AM
In response to the_rock

What would I be looking for exactly? If nothing shows up what is the next step? TAC?

0 Kudos
the_rock
Legend
Legend
‎2022-03-09 07:50 AM
In response to RickyDan

Pretty much, yes. You would look to see if office mode IP addresses are communicating on port 18234.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-03-09 08:09 AM
In response to RickyDan

Have you tried any newer client versions other than E84.50 ?

CCSM R77/R80/ELITE
RickyDan
Contributor
‎2022-03-09 09:04 AM
In response to Chris_Atkinson

Hey, I did upgrade everyone to E86.00 which was the latest at the time I pushed the upgrade but it did not help. However, I will give E86.20 a go for a few affected users and see how that helps. Thanks for the suggestion.

0 Kudos
the_rock
Legend
Legend
‎2022-03-09 08:16 AM
In response to RickyDan

@Chris_Atkinson brought up a good point...E86.20 is the newest version, but very stable, so I would certainly give that a go.

Andy

0 Kudos
RickyDan
Contributor
‎2022-03-09 09:04 AM
In response to the_rock

Thanks, will certainly give it a shot.

0 Kudos
the_rock
Legend
Legend
‎2022-03-09 09:51 AM
In response to RickyDan

Keep us posted on the results please. 

Cheers,

 

Andy

0 Kudos
RickyDan
Contributor
‎2022-03-10 07:14 AM
In response to the_rock

Hi guys, pushed E86.20 in the evening to a user who was having the issue constantly and this morning the VPN dropped again. I asked them to let me know the instant it happens so that I can do the fw monitor as well as look for anything related in Windows logs.

0 Kudos
the_rock
Legend
Legend
‎2022-03-10 07:26 AM
In response to RickyDan

I would definitely recommend TAC case, if you dont have one already. I know issues like this are not easy to troubleshoot, specially given the fact they would also have to do captures when issue is occurring, otherwise, it would not show the actual problem.

0 Kudos
RickyDan
Contributor
‎2022-03-10 11:21 AM
In response to the_rock

I got a trace going and the only thing hitting the gateway was tunnel test (UDP\18234).

May or may not be related but the user also has a ton of windows system event logs 7034 saying the Threat Emulation service terminated unexpectedly. To compare, I checked another user who does not experience the issue and they have no such logs. I removed Threat Emulation from the user but they still experienced the issue. 

I'll open another TAC case with this info. I had one previously but the issue was so seldom that no meaningful troubleshooting could be done. Thanks everyone so far for the suggestions.

0 Kudos
YuryRus
Explorer
‎2022-04-28 01:06 PM
In response to RickyDan

Hi,

We are experiencing a similar issue. Endpoint Client displays as connected, but all network resources are unreachable until machine is restarted. It looks almost as "Host isolation" feature turned on for the host (During isolation all traffic is dropped except the connection to the management server).

Was your issue resolved and what did it take? and what was causing it?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-03-09 01:47 PM
In response to the_rock

E86.25 was also made available recently FYI.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-03-09 02:45 PM
In response to Chris_Atkinson

Right, but only managed, NOT standalone vpn client.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events