This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Edu_Amores
Explorer
‎2020-05-04 05:42 AM

Remote Access VPN license (IPSEC)

Hello,

We are facing some sporadic issues because users cannot connect through using the Endpoint Security Client. We are getting this error: You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode

I am checking the CLuster licenses in SMS and I can see this: Mobile Access - Active - Quota: 0/110

But when I am running the following command, I can see that the maximun number of concurrent users has been 110:

[Expert@ITALFARM-GW1:0]# fw tab -t om_assigned_ips -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost om_assigned_ips 386 107 110 0

So, I am not sure if users are making use of Mobile Access licenses when connecting through Remote Access VPN (IPSEC) and I am having this limitation and this is the reason because we get the mentioned error sometimes. Can you please help me to clarify this?

Thank you.

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2020-05-04 06:33 AM

Here is a quote for you from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

16. Can I connect an Endpoint Security VPN client to a gateway having only a Mobile Access Blade lic...

No, only Check Point Mobile for Windows, SNX, Linux and Capsule Connect clients can be connected.
 
 
0 Kudos
Edu_Amores
Explorer
‎2020-05-04 06:56 AM
In response to _Val_

Thanks for the answer. So, Are there licenses required which could limit the amount of concurrent users connected RA VPN (IPSEC) using Enpoint Security? If exists, how coul I check the limit? Thank you very much.

Best Regards.

0 Kudos
_Val_
Admin
Admin
‎2020-05-04 07:05 AM
In response to Edu_Amores

Please read via the link I have given you, it is also answered there

0 Kudos
Edu_Amores
Explorer
‎2020-05-04 08:16 AM
In response to _Val_

Yes, I have read that link but it does not answer all my questions, or at least I am not understanding it in the right way. I have ran this command and check how many connected users I have and avaialble licenses.

 

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 102 (Peak: 110)
Capsule/Endpoint VPN Users : 100 (Peak: 105) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 1000
Endpoint Connect Users : 0
Mobile Access Users : 110
SNX Users :

 

According to this output, I can see that there are currently 102 assigned OfficeMode IPs (Peak:110). I also can see that I have 110 Mobile Access licenses but I am not sure if these 102 sessions are making use of 110 available Mobile Access licenses. If not, I cannot understand why I am getting this error eventually (it just happens sometimes): 

You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode 

Maybe the answer for my question is in the link you have provided me but I find it a bit confused. I just need to know if RA VPN connection with IPSEC, consume Mobile Access licenses or not. I think yes but SMS shows: Quota 0/110 and I do not if it is an cosmetic bug or if these licenses are not being used. Thanks and sorry not being able to understand it easily.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-04 04:54 PM
In response to Edu_Amores

I think what you're seeing is a cosmetic bug.
A screenshot of exactly where you're seeing it would help.

Office Mode IPs require a license (either Endpoint VPN or MAB).
Presumably you're getting the error when you run out of licenses for the concurrent connected users.
0 Kudos
Edu_Amores
Explorer
‎2020-05-05 12:39 AM
In response to PhoneBoy

Yes, here you can check what I am looking in SMS. Thank you very much for the help.

Best Regards,

Preview file
38 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-05 06:40 AM
In response to Edu_Amores

Worth a TAC case to fix the cosmetic bug.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events