This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriniKrish
Collaborator
‎2021-11-06 09:02 PM
Jump to solution

Remote Access VPN - Site Creation Failed

Hi Guys,

Having challenges configuring Remote access VPN(Mobile Access) and client used is Endpoint Security VPN.

HW: 3600

Version: R81.10 (Jumbo hotfix installed)

Error: as attached

Config checks:

GAIA Portal has been redirected to 4434 just to avoid conflicts with 443 for SSL VPN

Using Local users for Auth ( CP username and Pswd)

Access logs got no drops.

IA enabled, Mobile access enabled, office mode

TLS enabled is v1.2

Have followed most of the videos and docs and community posts out there but still couldn't narrow down.

It looks like a pretty simple config but wasnt straight forward.

Appreciate any directions !

Thank you!

Srini

 

 

VPN Error.PNG
Preview file
38 KB
Cert acceptance.jpg
Preview file
61 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-11-07 10:02 PM
In response to SriniKrish
Jump to solution

Remote Access using a Client, whether SNX or Endpoint Security VPN can be done with either IPsec VPN or with Mobile Access.
What Mobile Access Blade gives you is a nicer portal for deployment of SNX...and will also serve as a sort of reverse proxy to access internal web resources.
That said, if you are going to use SNX, you will probably want to deploy it to yours users versus them having to self-deploy using the SNX portal (active when Mobile Access blade is disabled).
That's because the SNX portal still uses Java to deploy SNX using a legacy method that modern browsers no longer support.

I don't know the technical reason why Mobile Access cannot be used on a port other than port 443.
However, one can consider this a product limitation.

View solution in original post

0 Kudos
18 Replies
SriniKrish
Collaborator
‎2021-11-06 09:36 PM
In response to PhoneBoy
Jump to solution

Yeah I did few not all. Also, not all  highlight specific remediation

I did go through the trac.log but couldnt find any thing obvious.

Attaching for reference. Will try few more options.

trac.zip
0 Kudos
SriniKrish
Collaborator
‎2021-11-06 09:40 PM
Jump to solution

[ 6196 8156][7 Nov 15:01:51][talkhttps] ATalkHttps::ssl_failure_cb: SSL ended. err=3
[ 6196 8156][7 Nov 15:01:51][talkhttps] ResetRcvBuffer: data 00000000 size 0 free_buffer=1.
[ 6196 8156][7 Nov 15:01:51][TalkCCC] talkccc::EndEv: got disconnected with AuthError_t==2.

what exactly is this auth error corresponding to ? I did see in another post t==3 is related to Wrong gateway cert. Not sure about t==2 though

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-06 10:47 PM
In response to SriniKrish
Jump to solution

Sounds like you might want to engage the TAC.

SriniKrish
Collaborator
‎2021-11-06 10:55 PM
In response to PhoneBoy
Jump to solution

Will do and keep you guys posted.

 

0 Kudos
SriniKrish
Collaborator
‎2021-11-07 01:53 AM
In response to PhoneBoy
Jump to solution

I found the issue, it was discussed by you another post.

https://community.checkpoint.com/t5/Remote-Access-VPN/changing-default-port-of-Endpoint-Security-VPN...

I had a NAT on 443  for a webserver and looks like that was causing the conflict.

Now the trouble is that server is important to us and apparently Mobile access will work only via 443 and can't use another port.

Apart from changing the Webserver to another port or using Visitor mode, is there any  other option at all to stick with Mobile access ?

Thank you !

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-07 06:53 PM
In response to SriniKrish
Jump to solution

If your goal is simply remote access with a client, this doesn't require Mobile Access Blade.
This can happen with just the IPsec VPN blade.
If you're using SNX, you're basically using Visitor Mode anyway.

If you need the full MAB portal, you're probably out of luck.

0 Kudos
SriniKrish
Collaborator
‎2021-11-07 09:35 PM
In response to PhoneBoy
Jump to solution

Thanks for the reply,

So if I have to use IPSec VPN, I can use only SNX as client or I can still use Endpoint Security VPN client as well? Also, I would have to disable the mobile access blade. Am I right to say that ?

Wonder whats the purpose of Mobile access blade in the first place

I find it weird that you can't use Mobile access blade along with a Webserver in your environment.

Thank you!

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-07 10:02 PM
In response to SriniKrish
Jump to solution

Remote Access using a Client, whether SNX or Endpoint Security VPN can be done with either IPsec VPN or with Mobile Access.
What Mobile Access Blade gives you is a nicer portal for deployment of SNX...and will also serve as a sort of reverse proxy to access internal web resources.
That said, if you are going to use SNX, you will probably want to deploy it to yours users versus them having to self-deploy using the SNX portal (active when Mobile Access blade is disabled).
That's because the SNX portal still uses Java to deploy SNX using a legacy method that modern browsers no longer support.

I don't know the technical reason why Mobile Access cannot be used on a port other than port 443.
However, one can consider this a product limitation.

0 Kudos
SriniKrish
Collaborator
‎2021-11-08 08:07 PM
In response to PhoneBoy
Jump to solution

Yeah true that. I just tried the same using IPsec vpn and Endpoint Security client and assigned a random port via visitor mode and it worked just fine !

Now I wonder what is the purpose even of having that Mobile access Blade apart from the ones you've highlighted above.

Thanks a ton for your assistance here !

0 Kudos
skandshus
Advisor
Advisor
‎2021-11-09 03:03 PM
Jump to solution

Having the same issue here, but I just don’t have firewall or nat rules for port 443… did you ever figure out the reason for this problem

0 Kudos
SriniKrish
Collaborator
‎2021-11-09 04:00 PM
In response to skandshus
Jump to solution

My issue was with NAT for a Webserver sharing the same port as Mobile access. I changed to IPSEC VPN and turned off mobile access blade and problem fixed.

Questions for you:

1. Are you using Mobile access blade or IPSEC VPN?

2. What VPN Client are you using ?

3. Did you capture logs in the client ? That will reveal some issues.

4. below link is handy to cross check as well.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Cheers

Srini

0 Kudos
skandshus
Advisor
Advisor
‎2021-11-09 10:19 PM
In response to SriniKrish
Jump to solution

1. Both.. ive been trying with only ipsec, and only by enabling mobile access and choosing desktop/laptops (endpoint security vpn)

2. Endpoint security vpn on my pc

3. no not yet.. 

4. thank you for the link, ive been on it already, though not been digging into the "capture packets" thing yet.

0 Kudos
SriniKrish
Collaborator
‎2021-11-09 10:30 PM
In response to skandshus
Jump to solution

Option 1:

Disable  Mobile Access, (uncheck under General properties), check only IPSEC VPN. Try connecting.

Option 2:

Possibly 443 is conflicting with your GAIA management portal.

Change GAIA Portal to something else , say 4434.( Gateway properties -> Platform Portal)

Try connecting now as Mobile Access will not conflict for 443.

Let me know how you go !

0 Kudos
skandshus
Advisor
Advisor
‎2021-11-09 10:35 PM
In response to SriniKrish
Jump to solution

Removed Mobile access blade.

Opened gateway properties and added :4434 to the gateway portal

 

opened Endpoint security vpn. 

 

 

trying to add site but recieve: "site creation failed"..

 

pew. guess ill have to create yet another support case.

These days it feels like i can barely close one case before having the need to open one more because something breaks..

 

all the god **bleep** time.

0 Kudos
SriniKrish
Collaborator
‎2021-11-09 11:59 PM
In response to skandshus
Jump to solution

Hope you installed the policies as well after teh changes.

And also the best way is to capture the logs on the client as it reveals some info abt failure. Its pretty easy.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Or as always you can raise a support case which is pretty  much gonna walk you through the same.

Good luck !

 

0 Kudos
skandshus
Advisor
Advisor
‎2021-11-10 12:17 AM
In response to SriniKrish
Jump to solution

Yep.

did install policy right after 🙂

 

ive collected logs, but i wasnt able to find anything particular.

What were you specifically looking for in the logs that led you on your path?

0 Kudos
SriniKrish
Collaborator
‎2021-11-10 04:17 PM
In response to skandshus
Jump to solution

you should check that specific link I gave for various error messages. worth uploading your config screen grab and logs here to eval.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top