This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gabriel_Rosas
Explorer
‎2019-11-13 01:10 PM

SSL Network Extender Issue

Hi team,

I am having a random issue with remote users connected to the RemoteAccess vpn.

Remote users can login to the portal and the office mode IP assigns correctly. We do not know why some times users cannot access the resource. When connections are being dropped logs show: "Drecipted and user method are not identical (vpn error code 1). It seems like that the gateway is identifying the users connections as a Site-to-Site communication from one of our peer gateways even when the encryption domains are not the same. 

This issue is presenting since we upgraded to R80.20.

So, we have some questions...

Do we need to configure static routes in the customer switch core?

We have a clusterXL HA deployment and different office mode segments are configured in the cluster members. We have detected that only with one member the issue is presenting. Do we need to use the same office mode pool in both cluster members?

 

Regards.

 

 

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-11-13 06:56 PM

Cluster members should be configured to use the Office Mode addresses.
Also your core routers/switches will likely need routes for the Office Mode addresses to point at the gateway, particularly if the default route doesn't go through the Security Gateway.
Wolfgang
Authority
Authority
‎2019-11-13 11:14 PM

Gabriel,

if you had ClusterXL HA you can define the same office-mode network on both members.

As Dameon wrote, this office mode network need to be routed to your cluster.

Wolfgang

PS.: It is always a good idea to get the office mode IPs from an internal DHCP server

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top