Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mishgek
Explorer

SNX on linux

Hello guys! I have a problem with connection through SSL Extender on linux machine.

We have two gateways v.80.30, lets name it io.corp.com and sa.corp.com.

Client: CentOS 7.9, java-11-openjdk and all prerequisites from sk119772. SNX  build 800010003.

SSL Extender with io.corp.com working just fine. With first connections window with certificate fingerprint pops up, we accept it and connection is established. When we try to connect to sa.corp.com. SSL Extender window closing without any error. I found error in /var/log/cshell/cshell.log. Could it be that the root of a problem is server certificate with asterisk *?

 

30/07/2021 10:09:47 INFO [global] (Log log) [SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
30/07/2021 10:09:47 INFO [global] (Log log) [Launcher] Launching /usr/bin/snx -Z
30/07/2021 10:09:48 INFO [CpComponent] (CpComponent initPipe) Trying to create socket to 127.0.0.1:7776
30/07/2021 10:09:48 INFO [global] (Log log) [SNXNetMode] Successfully connected to SNX Network Mode.
30/07/2021 10:09:48 INFO [global] (Log log) [SNXNetMode] Connection to SNX Network Mode is ok
30/07/2021 10:09:48 INFO [CpComponent] (CpComponent connect) Connecting...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] detectProxy, name = sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] URI = https://sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about to get the system-wide proxy selector...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about select proxy list from the selector...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about iterate the proxy list...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about iterate the proxy #0...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] about to get address from proxy...
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] no proxy - continue
30/07/2021 10:09:48 INFO [global] (Log log) [Proxy] done with the list - there is no proxy
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Sending INIT_DATA message:
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway IP: 95.113.123.212
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway name: sa.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Gateway port: 443
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Proxy IP: 0.0.0.0
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Proxy port: 0
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Server CN: *.corp.ru
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] User Name: USER
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Server fingerprint: SAGE LAKE DAME HARD TIDY BROW DEL SEEK IKE GLEE CRUD ION
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Automatic proxy replacement: true
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Sending INIT_DATA_EX message:
30/07/2021 10:09:48 INFO [global] (Log log) [Messaging] Allow only packets from sws: false
30/07/2021 10:09:48 INFO [global] (Log log) [CShell] Initialized successfully
30/07/2021 10:09:49 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: get_is_connected
30/07/2021 10:09:49 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: get_finished
30/07/2021 10:09:49 INFO [global] (Log log) [Messaging] Received DISCONNECTED message, Error 32: Cannot establish connection to SSL Network Extender gateway. Try to reconnect.
30/07/2021 10:09:49 INFO [CpComponent] (CpComponent run) Received 'Disconnect' message from SNX:
ID: 32 MSG:Cannot establish connection to SSL Network Extender gateway. Try to reconnect.
30/07/2021 10:09:49 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:49 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.
30/07/2021 10:09:50 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: Uninitialize
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.
30/07/2021 10:09:50 INFO [CShellHTTPHandler] (CShellHTTPHandler proceedHandleRequest) Method name: stop
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker disconnectTunnel) Can't disconnect tunnel, client director is not defined.
30/07/2021 10:09:50 WARNING [TunnelChecker] (TunnelChecker stop) Can't stop disconnect checker, processed handle is not defined.

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What's the error message from the gateway side of things?

0 Kudos
Mishgek
Explorer

Form the gateway side error "SNX connection failed".

0 Kudos
PhoneBoy
Admin
Admin

Where precisely are you seeing that error message?
I believe you can get more information on the client side by using the -g option when invoking SNX.

 

0 Kudos
Mishgek
Explorer

I will find out about error from gateway administrator. There is logs from SNX when I invoking connection with gateways by doing command "snx -s sa.corp.ru -u user -g" and "snx -s io.corp.ru -u user -g". We dont use SNX to connect through CLI. I thought it was not supported any more? I am using Firefox 78 web browser on CentOS with java-11-openjdk (i tried 8,11,16 ande jre 8). We have Windows clients with IE which going throught sa.cotp.ru without problems.

0 Kudos
Mishgek
Explorer

Could it be that this hotfix https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... not installed on the gateway? How to confirm it?

0 Kudos
PhoneBoy
Admin
Admin

If you can use it from a Windows machine with Chrome (versus Internet Explorer), then the hotfix is installed.
Otherwise, it's not. 

0 Kudos
the_rock
Authority
Authority

Let me discuss this with one of my colleagues, see what he says about it, as I believe he made it work for one of our customers. Though based on errors you gave, I really agree with your logic that it could be certificate issue.

0 Kudos