This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mohit136971
Explorer
‎2025-12-03 09:54 PM

Remote access vpn with enrolment key certificate not working

Hi Team,

 

I am using 3600 and 9300 firewall for my customer. I have configured Remote access vpn with enrolment key certificate.

For 3600 firewall it is working fine but for 9300 series firewall it is not working. When I connect through vpn client it shows enrolment failed. Does anybody know why it is not connecting to 9300 series firewall. The configuration is same. Should I have to do any other steps on 9300 series firewall.

Also username + password for RAVPN is working fine but not working for Certifcate+username password.

 

Version- R81.20 JHF 118

TAC also haven't find the solution yet. It's pending from 20 days.

Please help me to resolve the issue.

Preview file
35 KB
Preview file
31 KB
0 Kudos
4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-12-04 06:58 AM

Any other relevant messages except enrollment failed?

Best,
Andy
0 Kudos
Mohit136971
Explorer
a month ago
In response to the_rock

No other error

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-12-04 07:05 AM

If this is related to machine certificate issue, please see what TAC sent to one of our clients last yer and this actually did work.

*****************

- Policy had not been installed on the gateways since March 15. Sessions had been published, but not pushed to the gateways. Much of the configuration has taken place since then.
- Post installation, we needed to perform sk116997 as the CSP used for the machine certificate did not allow the use of SHA256 hashing for authentication.
- While we were trying to correct the machine certificate CSP, users were unable to connect to the remote access VPN as they did not belong to the remote access community. Performed sk91844 to change "fetch_type" to "fetch_options", and disabled "ldap_fetch" to prevent LDAP lookup of group memberships, as we wanted users to match the generic* profile and not LDAP.

Following the successful installation of policy, and the changes detailed in sk116997 and sk91844, we saw machine certificate authentication was being performed during login.

*********************************

Best,
Andy
0 Kudos
Mohit136971
Explorer
a month ago
In response to the_rock

Hi,

 

I have done the steps under this SK(sk91844) but I didn;t understand the second SK. And there is no solution provided on SK and Microsoft site as well.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events