This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dmitri_Rashal
Explorer
‎2018-12-03 10:41 AM

Unable to create any VPN site from Windows 10 Home

Dear all!

I'm trying to connect to some corporate VPN from my Windows 10 Home (1803) machine. For connection I use CheckPoint Mobile 80.85. I would like to point out that I'm an outsourcer and I have no idea what is VPN server configuration, I just've got an instruction from some company. I'm an IT guy but not a specialist in VPNs, network, security. So I'm unable to connect to this VPN from any Windows 10 Home machine. When I try to create a new site in client I've getting an error: Failed to create new site. Site is not responding. This problem persists on any Windows 10 Home machine which I've tried (I've tried 3). But I can connect perfectly to this VPN from Windows 7 Home or Windows 10 Pro.

The most interesting part of log is below:

[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 2088: rc=0, next: 138736c with 0, req: 1024r, 0w
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 2088: handler closed connection
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_end_conn: scheduling the end of connection 2088
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 2088/0
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 2088/1
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 2088/0
[ 3896 4356][2 Dec 16:23:05][] T_event_do_del: failed to remove WSAsocket event
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 2088/2
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_out: 1924: sent 0 of 143 bytes == 143 bytes to send
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_out: 1924: managed to send 143 of 143 bytes
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_out: 1924: call: 11eeed1 with 1
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_NegotiateHandler: state_read.
[ 3896 4356][2 Dec 16:23:05][] fwasync_conn_get: get max buffer size (1048576) .
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_out: 1924: rc=1, next: 11eeed1 with 1, req: 65536r, 0w
[ 3896 4356][2 Dec 16:23:05][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: closing connection 2088 (conn=33bb330)
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: Removing connection 2088 from proxy's connection store(conn=33bb330)
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::NotifyEndConnection (3): Starting ...
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (1): entering... my_addr:0, my_port:29634, peer_addr:0, peer_port:0
[ 3896 4356][2 Dec 16:23:05][] CFirewallWrapper::RemoveSingleProxyRule (1): ntohl(my_addr),ntohs(my_port),ntohl(peer_addr),ntohs(peer_port) : <0,49779> -> <0,0>
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (2): entering, src_ip_str=0.0.0.0, src_port=49779, dest_ip_str=0.0.0.0, dest_port=0
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (2): Firewall Driver Not Initialized
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: end closing connection 33bb330 2088
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 1924: got 0 of 65536 bytes == 65536 bytes required
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 1924: managed to read 1761 of 65536 bytes
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 1924: call: 11eeed1 with 1
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_NegotiateHandler: state_afterRead.
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_NegotiateHandler: Got 1761 negotiation bytes from peer.
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_conn_reset_read: 1924
[ 3896 4356][2 Dec 16:23:05][RunAs] SCRunAsInit: start...
[ 3896 4356][2 Dec 16:23:05][RunAs] SCRunAsInit: already initialized
[ 3896 4356][2 Dec 16:23:05][RunAs] SCRunAsInit: Ended
[ 3896 4356][2 Dec 16:23:05][RunAs] StartRunAsUser : calling StartRunAsUser_ex with default params
[ 3896 4356][2 Dec 16:23:05][RunAs] GetProcessIdFromName: Locating PID for explorer.exe
[ 3896 4356][2 Dec 16:23:05][RunAs] GetProcessIdFromName: Located PID 5524 for process
[ 3896 4356][2 Dec 16:23:05][RunAs] GetProcessIdFromName: Ended
[ 3896 4356][2 Dec 16:23:05][RunAs] GetCurrentShellProcessId: Current shell located as explorer.exe, process 5524
[ 3896 4356][2 Dec 16:23:05][RunAs] GetCurrentShellProcessId: Ended
[ 3896 4356][2 Dec 16:23:05][RunAs] GetSecurityContextInformation: Opening shell process
[ 3896 4356][2 Dec 16:23:05][RunAs] GetSecurityContextInformation: Opening shell process token
[ 3896 4356][2 Dec 16:23:05][RunAs] GetSecurityContextInformation: Duplicating shell process token
[ 3896 4356][2 Dec 16:23:05][RunAs] GetSecurityContextInformation: Creating environblock
[ 3896 4356][2 Dec 16:23:05][RunAs] GetSecurityContextInformation: Ended
[ 3896 4356][2 Dec 16:23:05][RunAs] StartRunAsUser_ex: return (0)

[ 3896 4356][2 Dec 16:23:05][wssl] ClientBufferedNeg: InitializeSecurityContextA returned SEC_E_INVALID_TOKEN
[ 3896 4356][2 Dec 16:23:05][wssl] ClientBufferedNeg: Error 0x80090308 returned by InitializeSecurityContext (2)
[ 3896 4356][2 Dec 16:23:05][wssl] ClientBufferedNeg: the error returned is the token supplied to the function is invalid

[ 3896 4356][2 Dec 16:23:05][RunAs] StopRunAsUser : calling StopRunAsUser_ex with default params
[ 3896 4356][2 Dec 16:23:05][RunAs] FreeSecurityContextInformation: Ended
[ 3896 4356][2 Dec 16:23:05][RunAs] StopRunAsUser_ex: return (0)
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_NegotiateHandler: ClientBufferedNeg returned with error.
[ 3896 4356][2 Dec 16:23:05][talkssl] error_handler_for_winssl: SSL negotiation error.-the token supplied to the function is invalid

[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_mux_in: 1924: rc=-1, next: 11eeed1 with 1, req: 65536r, 0w
[ 3896 4356][2 Dec 16:23:05][] fwasync_do_mux_in: 1924: handler returned with error
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_end_conn: scheduling the end of connection 1924
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 1924/0
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 1924/1
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 1924/0
[ 3896 4356][2 Dec 16:23:05][] T_event_do_del: failed to remove WSAsocket event: The parameter is incorrect.
[ 3896 4356][2 Dec 16:23:05][tevent] T_event_do_del: marking for deletion socket/type: 1924/2
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: closing connection 1924 (conn=2a1eee8)
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: Removing connection 1924 from proxy's connection store(conn=2a1eee8)
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::NotifyEndConnection (3): Starting ...
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (1): entering... my_addr:0, my_port:29890, peer_addr:0, peer_port:0
[ 3896 4356][2 Dec 16:23:05][] CFirewallWrapper::RemoveSingleProxyRule (1): ntohl(my_addr),ntohs(my_port),ntohl(peer_addr),ntohs(peer_port) : <0,49780> -> <0,0>
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (2): entering, src_ip_str=0.0.0.0, src_port=49780, dest_ip_str=0.0.0.0, dest_port=0
[ 3896 4356][2 Dec 16:23:05][TR_FIREWALL] CFirewallWrapper::RemoveSingleProxyRule (2): Firewall Driver Not Initialized
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_end_handler: 0x2A1EEE8 ended
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_connected: SSL failure: SSL negotiation error.
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_close: closing - conn - 0x2a1eee8
[ 3896 4356][2 Dec 16:23:05][] fwasync_close: close(1924): Unknown Winsock error (10038)
[ 3896 4356][2 Dec 16:23:05][talkssl] talkssl::end_handler: ending connection
[ 3896 4356][2 Dec 16:23:05][talkhttps] ATalkHttps::ssl_failure_cb: SSL ended. err=6
[ 3896 4356][2 Dec 16:23:05][talkhttps] ResetRcvBuffer: data 00000000 size 0  free_buffer=1.
[ 3896 4356][2 Dec 16:23:05][TalkCCC] talkccc::EndEv: got disconnected with AuthError_t==7.
[ 3896 4356][2 Dec 16:23:05][TalkCCC] talkccc::EndEv: connection status 1
[ 3896 4356][2 Dec 16:23:05][TalkCCC] talkccc::EndEv: Failed to connect - AuthError_t==7
[ 3896 4356][2 Dec 16:23:05][TalkCCC] talkccc::EndEv: event callback is registered. Notifying it
[ 3896 4356][2 Dec 16:23:05][TR_FLOW_STEP] TR_FLOW_STEP::TrSiteCreationStep::AuthFailureEv: entering...
[ 3896 4356][2 Dec 16:23:05][TR_CONN_MANAGER] TrConnManager::GetSCUIAPIMode: mbSCUIAPIMode is 0
[ 3896 4356][2 Dec 16:23:05][String] String::String::Translate: String with id 28 has been translated to string: Site is not responding
[ 3896 4356][2 Dec 16:23:05][TR_FLOW_STEP] TR_FLOW_STEP::TrSiteCreationStep::Notify: Failed to receive hello reply
[ 3896 4356][2 Dec 16:23:05][auth_server]  AAuthServer::Stop Stopping Authentication
[ 3896 4356][2 Dec 16:23:05][talkhttps] ATalkHttps::CloseConn: Close SSL conn: 0 State 0x6 Reason: Termination.
[ 3896 4356][2 Dec 16:23:05][talkssl] talkssl::disconnect: called
[ 3896 4356][2 Dec 16:23:05][talkssl] talkssl::disconnect: Cancel proxy wrapper connect
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::ResetCallbacks: Starting ...
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::ResetCallbacks: Invalid proxy conn
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::CloseProxyConn: Starting ...
[ 3896 4356][2 Dec 16:23:05][proxy_wrapper] ProxyWrapper::CloseProxyConn: Invalid proxy conn
[ 3896 4356][2 Dec 16:23:05][MessageLoop] MessageLoop::MessageLoop::SchedCB: entering.
[ 3896 4356][2 Dec 16:23:05][TalkCCC] talkccc::RetryAllRequests: exit!
[ 3896 4356][2 Dec 16:23:05][fwasync] fwasync_do_end_conn: end closing connection 2a1eee8 1924
[ 3896 4356][2 Dec 16:23:05][TR_FLOW] TR_FLOW::TrBaseFlow::FinishStep: <------------------------------------- (1) Step 1 (class TrSiteCreationStep) finished with status -1000 - TrFAIL
[ 3896 4356][2 Dec 16:23:05][TR_FLOW] TR_FLOW::TrBaseFlow::FinishStep: Step failed

As you can see there is an initial fail of WinApi function InitializeSecurityContextA and then a cascade failure of the software.

Does anybody have any clue? I've tried to play with build in firewall, certificates, older versions of CheckPoint but nothing helped. I would appreciate any help.

Regards, Dmitri

wsh.pcapng.zip
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2018-12-03 10:50 AM

This is probably something that the remote end will have to fix.

See: VPN Site creation on a Client fails due to mismatch in versions of TLS protocol 

0 Kudos
Dmitri_Rashal
Explorer
‎2018-12-03 11:02 AM
In response to PhoneBoy

Thank you for replay.

But I've used the same client software version everywhere (Win 7, Win10 Pro, Win10 Home). It doesn't work in 10 Home only.

Anyway I have no access to server side and I'm unable to check protocol version...

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-03 11:22 AM
In response to Dmitri_Rashal

Not sure why Win 10 Home makes a difference, but a difference in allowed TLS versions is exactly what the symptoms point to.

Specifically these errors:

[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_connected: SSL failure: SSL negotiation error.
[ 3896 4356][2 Dec 16:23:05][cpwssl] cpWinSSL_fwasync_close: closing - conn - 0x2a1eee8
[ 3896 4356][2 Dec 16:23:05][] fwasync_close: close(1924): Unknown Winsock error (10038)

I believe what TLS versions are offered is a function of the Windows OS itself.

What is accepted on the server side is a function of the remote end.

If you use Wireshark or similar to observe the communication between the endpoints, you should see this difference.

How to fix it? Not sure, but I believe there are registry settings you can tweak in the Windows OS.

What you will tweak them to will depend on what you observe with Wireshark.

0 Kudos
Dmitri_Rashal
Explorer
‎2018-12-03 12:39 PM
In response to PhoneBoy

I've run a WireShark. From the capture I can see that Client & Server use TLS 1.2, server hello is ok but then...

WireShark capture

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-03 12:55 PM
In response to Dmitri_Rashal

Possible this will help: Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings - Microsoft Community 

Am curious what the difference in setting between Win 10 Pro and Win 10 Home.

0 Kudos
Dmitri_Rashal
Explorer
‎2018-12-04 08:20 AM
In response to PhoneBoy

Ha, this stuff I did at first... Even had to install IE because only Edge was present. TLS was on. Didn't help.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-04 12:03 PM
In response to Dmitri_Rashal

Expand the Client Hello and Server Hello packets in the screenshot.

Perhaps we can see some clue what's missing in the TLS negotiation.

0 Kudos
Dmitri_Rashal
Explorer
‎2018-12-05 09:40 AM
In response to PhoneBoy

Hi,

thank you for your time.

I've attached a WireShark captured TLS hello packets in pcapng format.

0 Kudos
Adi_Babai
Employee
Employee
‎2018-12-09 12:49 AM

Hi,

Please make sure that all latest Windows KBs are installed.

Thanks,

Adi

0 Kudos
Dmitri_Rashal
Explorer
‎2018-12-11 09:08 AM
In response to Adi_Babai

Hi,

yes they are. Everything latest is installed.

Today have tried to connect from Ubuntu 14.04 with snx 800007075. Got the same error - connection aborted.

The log is:

[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] fwrand_write_seed: Failed to write seed.: Operation not permitted
[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] ckpSSL_NegotiateStep: should retry.
[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] ckpSSL_NegotiateStep: current state = SSLv3 read server hello A
[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] SSL e stack
[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] 1810:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1033

[ 1810 -147986688]@peso.ab.lv[11 Dec 19:04:42] ckpSSL_NegotiateStep: Current step failed. Error is: 336151598

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2019-01-05 11:09 AM

There is new version (E80.90) which supports W10 build 1803:

Enterprise Endpoint Security E80.90 Windows Clients 

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events