Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Advisor

StandAlone Gateway Remote Access VPN Site not created

Hello All,

I am trying to configure a RemoteAccess VPN on a standalone gateway, But something fundamental is going wrong. 

Is there something specific you need to do for configuring Remote Access VPN on a  Standalone gateway?

I have a Checkpoint 3000 series on R80.40 straight out of the box.  When I configure the RemoteAccess VPN and try and connect with the SecureRemote client. I always end up with the error "Failed to create the new site. Site is not responding"

I have been through the community looking for tips. I have been through sk128652: Troubleshooting "site is not responding" Issues

  • Sceanrio 1 - Done
  • Scenario 6 - Already done, reset to factory defaults
  • Scenario 7 - Done
  • Scenario 8 - Done / Checked
  • Scenario 9 - Already on R80.40

Checking in the trac.log as was suggested I see "Failed to connect - AuthError_t==3"

[ 7668 20200][3 May 13:53:23][cpwssl] cpWinSSL_fwasync_end_handler: 0x32E4048 ended
[ 7668 20200][3 May 13:53:23][cpwssl] cpWinSSL_fwasync_connected: SSL failure: not initialized.
[ 7668 20200][3 May 13:53:23][cpwssl] cpWinSSL_fwasync_close: closing - conn - 0x32e4048
[ 7668 20200][3 May 13:53:23][] fwasync_close: close(2492): Unknown Winsock error (10038)
[ 7668 20200][3 May 13:53:23][talkssl] talkssl::end_handler: ending connection
[ 7668 20200][3 May 13:53:23][talkhttps] ATalkHttps::ssl_failure_cb: SSL ended. err=1
[ 7668 20200][3 May 13:53:23][talkhttps] ResetRcvBuffer: data 00000000 size 0 free_buffer=1.
[ 7668 20200][3 May 13:53:23][TalkCCC] talkccc::EndEv: got disconnected with AuthError_t==3.
[ 7668 20200][3 May 13:53:23][TalkCCC] talkccc::EndEv: connection status 1
[ 7668 20200][3 May 13:53:23][TalkCCC] talkccc::EndEv: Failed to connect - AuthError_t==3
[ 7668 20200][3 May 13:53:23][TalkCCC] talkccc::EndEv: event callback is registered. Notifying it
[ 7668 20200][3 May 13:53:23][TR_FLOW_STEP] TR_FLOW_STEP::TrSiteCreationStep::AuthFailureEv: entering...
[ 7668 20200][3 May 13:53:23][String] String::String::Translate: String with id 28 has been translated to string: Site is not responding
[ 7668 20200][3 May 13:53:23][TR_FLOW_STEP] TR_FLOW_STEP::TrSiteCreationStep::Notify: Failed to receive hello reply
[ 7668 20200][3 May 13:53:23][auth_server] AAuthServer::Stop Stopping Authentication
[ 7668 20200][3 May 13:53:23][talkhttps] ATalkHttps::CloseConn: Close SSL conn: 0 State 0x6 Reason: Termination.

It was suggested this indicates a problem with the a certificate authentication. This makes sense as the only traffic I am seeing on the firewall is TCP/443. 

What is also interesting is the message in the trac.log: [TR_FLOW_STEP] TR_FLOW_STEP::TrSiteCreationStep::Notify: Failed to receive hello reply.

A wireshark trace on the client PC is that there is a Hello, sent from the client, but immediately after that the Security gateway sends a FIN ACK packet.

hello.png

When the SecureRemote client connects there is a certificate warning:

Screenshot 2022-05-03 171442.png

This is showing the certificate with the IP 192.168.1.1, which was the original management IP when the firewall was taken out of the box, but is not the current management IP after running the first time wizard.  In the gateway object under VPN, this certificate does not mathc what is show as the defaultCert in the Certficate repository.

The vpnd.elg does not provide much information:

[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: called dlen 104, type 2
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] CptlUrlf::HandleTrap: _len 104 _instance =1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] CptlUrlf::HandleTrap: not urlf ssl trap.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_urlf_trap_cb: it is not ssl urlf trap.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: called from kernel instance 1.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: called. msg=HS_NEW
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: kernel_instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_hs_new_handler: client_conn_id: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_hs_new_handler: server_conn_id: 0x0000000000000000
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::startNewChannel: kernel_instance = 1, client_params_id = 0, server_params_id = 0, disable_http2 = 0
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::startNewChannel: invalid args
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_hs_new_handler: startNewChannel failed
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::getErrorString: channel was deleted: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: called, is_psl: 0
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: connID: : 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: called with conn_id: 0x00000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: will call instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: fwioctl_multik succeeded
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::getErrorString: channel was deleted: 0x0000000000000000
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: called, is_psl: 0
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: connID: : 0x0000000000000000
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: called with conn_id: 0x00000000
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: will call instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: fwioctl_multik succeeded
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] getRenegParams: lookup for key : <IP removed, 54565, IP removed, 443, 6>
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] getRenegParams: Params not found
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] storeRenegParams: storing key : <IP removed, 54565, IP removed, 443, 6>
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] storeRenegParams: added.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: done. msg=HS_NEW
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: trap processing took 0.000808 seconds.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: called dlen 244, type 2
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] CptlUrlf::HandleTrap: _len 244 _instance =1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] CptlUrlf::HandleTrap: not urlf ssl trap.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_urlf_trap_cb: it is not ssl urlf trap.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: called from kernel instance 1.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: called. msg=HS_EVENT_HANDLER
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: kernel_instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: conn_id: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::handleMsg: kernel instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::handleMsg: channel conn_id: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::handleMsg: channel could not be found: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: handleMsg rc=-999
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::getErrorString: channel was deleted: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: called, is_psl: 0
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_call_rl_end_psl: connID: : 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: called with conn_id: 0x00000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: will call instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_send_ioctl_multik: fwioctl_multik succeeded
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::shutDown1Side: called. kernel instance: 1
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_ChannelTable::shutDown1Side: conn_id: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] removeChannel: not found, conn_id: 0x0000000000000002
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptls_handle_msg_multik: done. msg=HS_EVENT_HANDLER
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32][CPTLS] cptlsd_trap_handler_multik: trap processing took 0.000435 seconds.
[vpnd 10134 4081866688]@JTIMSLABCP01[3 May 21:46:32] kmsg_read_local: 2 kmsgs handled

Nothing appears in the FW logs except the HTTPS connection, which are accepted. THer eis not indication of any blocked or dropped.

Many thanks,

Michael

0 Kudos
5 Replies
Michael_Horne
Advisor

Hello All,

I have tested this using VMs on my laptop and RAS VPN functions without issues in all the tested configurations (cluster + Dedicated mgmt, Gateway + dedicated mgmt, and standalone gateway). Only on the physical gateway it is not working. The only difference I can see it that when deploying the VMs, I go thorugh the set-up configuration on the console to set the management IP, disk space etc, before doing the First Time Wizard. On the physical Gateway go straight from the rest to factory defaults to running the first-time wizard.

Regards,

Michael

0 Kudos
_Val_
Admin
Admin

There is definitely a cert issue here. Try recreating a VPN certificate. Also, are you using IPsec VPN or Mobile Access blade? 

0 Kudos
Michael_Horne
Advisor

Hello,

I am using the IPsec Blade.

I have already tried renewing the VPN certificate using process in Scenario 1 from the sk128652: Troubleshooting "site is not responding" Issues:

Renew Certficate.png

0 Kudos
_Val_
Admin
Admin

The solution is about renewing CA certificate, actually, not just the VPN certificate. 

That said, I would suggest opening a TAC case.

0 Kudos
Michael_Horne
Advisor

Thanks for the clarification between internal CA and VPN cert. I will check.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events