This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Peschke1
Explorer
‎2019-04-28 11:35 PM
Jump to solution

VPN Client disconnects after one hour

Hello,

I ran into a problem with remote access VPN.

The connection can be established successfully and the ressources are available, but exactly after one hour the client disconnects with the error message "Failed to renew encryption keys".

In ike.elg it looks like phase 2 is failing, but everything is fine at the initial connection.

I checked and changed several lease times and renegotiation times, the client still disconnects after one hour.

I already have a service request open since three weeks now with no solution.

Did anyone experience this before?

0 Kudos
1 Solution

Accepted Solutions
Volodymyr
Explorer
‎2020-04-17 02:33 AM
In response to yigiterol
Jump to solution

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

View solution in original post

10 Replies
_Val_
Admin
Admin
‎2019-04-29 12:00 AM
Jump to solution

This is a classic case. Please make sure CRL on the Management is available through VPN or is not encrypted.

Daniel_Peschke1
Explorer
‎2019-04-29 03:14 AM
In response to _Val_
Jump to solution

How can I check these parameters? (I am kinda new to Check Point)

0 Kudos
Daniel_Peschke1
Explorer
‎2019-04-29 05:00 AM
In response to _Val_
Jump to solution

How do I check those parameters? (I'm kinda new to Check Point)
0 Kudos
Martin_Raska
Advisor
‎2019-04-29 09:16 AM
In response to Daniel_Peschke1
Jump to solution

Are you using certificates for authentication?

0 Kudos
Daniel_Peschke1
Explorer
‎2019-04-30 01:08 AM
In response to Martin_Raska
Jump to solution

There are no certificates for the clients, but a SSL certificate for the gateway. So the clients connect to the domain-name and not to the IP of the gateway. But I also tried to connect to the IP and got the same error.

For authentication I am using Identity Awareness with AD-Query and local configured users. The error occurs on both of them.

More information to the gateway - it's a stand-alone solution on R80.20 and Endpoint Security E80.92.

0 Kudos
Jeff_Gao
Advisor
‎2020-03-21 06:38 AM
In response to Daniel_Peschke1
Jump to solution

@Daniel_Peschke1. Did you find a solution fot this issue? i also have the same issue.
0 Kudos
Daniel_Peschke1
Explorer
‎2020-03-21 07:09 AM
In response to Jeff_Gao
Jump to solution

Hello,

 

It took me some days to notice, but we had a misconfigured NAT rule. A static NAT from gateway IP to a server in the DMZ.

0 Kudos
yigiterol
Explorer
‎2020-01-18 12:04 PM
Jump to solution

Hello,

 

Did you find a solution for this?

0 Kudos
Volodymyr
Explorer
‎2020-04-17 02:33 AM
In response to yigiterol
Jump to solution

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

Per_Opel
Explorer
‎2020-10-28 02:01 AM
In response to Volodymyr
Jump to solution

Did you get any explanation on what this kernel attribut does? We're having the same issue with rekey started a few days ago (despite that nothing has changed regarding policy or fw-version). 

We're using 80.30 take 217.

Yesterday I rebooted the gateways and after that I executed fw ctl set int natt_probe_do_in_kernel 0 on one of the gateways (the active one).
Since then I don't have the issue with rekey but if it was the reboot or the kernel param update which solved remains to find out.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫