This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mishgek
Explorer
‎2021-07-29 11:34 PM

SNX on linux

Hello guys! I have a problem with connection through SSL Extender on linux machine.

We have two gateways v.80.30, lets name it io.corp.com and sa.corp.com.

Client: CentOS 7.9, java-11-openjdk and all prerequisites from sk119772. SNX  build 800010003.

SSL Extender with io.corp.com working just fine. With first connections window with certificate fingerprint pops up, we accept it and connection is established. When we try to connect to sa.corp.com. SSL Extender window closing without any error. I found error in /var/log/cshell/cshell.log. Could it be that the root of a problem is server certificate with asterisk *?

 

30/07/2021 10:09:47 INFO [global] (Log log) [SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
30/07/2021 10:09:47 INFO [global] (Log log) [Launcher] Launching /usr/bin/snx -Z
30/07/2021 10:09:48 INFO [CpComponent] (CpComponent initPipe) Trying to create socket to 127.0.0.1:7776
30/07/2021 10:09:48 INFO [global] (Log log) [SNXNetMode] Successfully connected to SNX Network Mode.
30/07/2021 10:09:48 INFO [global] (Log log) [SNXNetMode] Connection to SNX Network Mode is ok
30/07/2021 10:09:48 INFO [CpComponent] (CpComponent connect) Connecting...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] detectProxy, name = sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] URI = https://sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about to get the system-wide proxy selector...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about select proxy list from the selector...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about iterate the proxy list...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about iterate the proxy #0...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about to get address from proxy...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] no proxy - continue
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] done with the list - there is no proxy
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Sending INIT_DATA message:
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway IP: 95.113.123.212
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway name: sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway port: 443
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Proxy IP: 0.0.0.0
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Proxy port: 0
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Server CN: *.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] User Name: USER
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Server fingerprint: SAGE LAKE DAME HARD TIDY BROW DEL SEEK IKE GLEE CRUD ION
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Automatic proxy replacement: true
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Sending INIT_DATA_EX message:
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Allow only packets from sws: false
30/07/2021 10:09:48 INFO [global] (Log log) [CShell] Initialized successfully
30/07/2021 10:09:49 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: get_is_connected
30/07/2021 10:09:49 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: get_finished
30/07/2021 10:09:49 INFO [global] (Log log) [Messaging] Received DISCONNECTED message, Error 32: Cannot establish connection to SSL Network Extender gateway. Try to reconnect.
30/07/2021 10:09:49 INFO [CpComponent] (CpComponent run) Received 'Disconnect' message from SNX:
ID: 32 MSG:Cannot establish connection to SSL Network Extender gateway. Try to reconnect.
30/07/2021 10:09:49 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:49 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.
30/07/2021 10:09:50 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: Uninitialize
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.
30/07/2021 10:09:50 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: stop
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-08-01 05:48 PM

What's the error message from the gateway side of things?

0 Kudos
Mishgek
Explorer
‎2021-08-02 04:50 AM
In response to PhoneBoy

Form the gateway side error "SNX connection failed".

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-02 01:22 PM
In response to Mishgek

Where precisely are you seeing that error message?
I believe you can get more information on the client side by using the -g option when invoking SNX.

 

0 Kudos
Mishgek
Explorer
‎2021-08-02 11:12 PM
In response to PhoneBoy

I will find out about error from gateway administrator. There is logs from SNX when I invoking connection with gateways by doing command "snx -s sa.corp.ru -u user -g" and "snx -s io.corp.ru -u user -g". We dont use SNX to connect through CLI. I thought it was not supported any more? I am using Firefox 78 web browser on CentOS with java-11-openjdk (i tried 8,11,16 ande jre 8). We have Windows clients with IE which going throught sa.cotp.ru without problems.

Preview file
6 KB
Preview file
66 KB
0 Kudos
Mishgek
Explorer
‎2021-08-10 05:43 AM
In response to PhoneBoy

Could it be that this hotfix https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... not installed on the gateway? How to confirm it?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-10 11:02 AM
In response to Mishgek

If you can use it from a Windows machine with Chrome (versus Internet Explorer), then the hotfix is installed.
Otherwise, it's not. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-08-02 05:37 PM

Let me discuss this with one of my colleagues, see what he says about it, as I believe he made it work for one of our customers. Though based on errors you gave, I really agree with your logic that it could be certificate issue.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events