Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN Client disconnects after one hour

Jump to solution

Hello,

I ran into a problem with remote access VPN.

The connection can be established successfully and the ressources are available, but exactly after one hour the client disconnects with the error message "Failed to renew encryption keys".

In ike.elg it looks like phase 2 is failing, but everything is fine at the initial connection.

I checked and changed several lease times and renegotiation times, the client still disconnects after one hour.

I already have a service request open since three weeks now with no solution.

Did anyone experience this before?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Explorer

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

View solution in original post

0 Kudos
9 Replies
Highlighted
Admin
Admin

This is a classic case. Please make sure CRL on the Management is available through VPN or is not encrypted.

Highlighted

How can I check these parameters? (I am kinda new to Check Point)

0 Kudos
Highlighted
How do I check those parameters? (I'm kinda new to Check Point)
0 Kudos
Highlighted
Advisor

Are you using certificates for authentication?

0 Kudos
Highlighted

There are no certificates for the clients, but a SSL certificate for the gateway. So the clients connect to the domain-name and not to the IP of the gateway. But I also tried to connect to the IP and got the same error.

For authentication I am using Identity Awareness with AD-Query and local configured users. The error occurs on both of them.

More information to the gateway - it's a stand-alone solution on R80.20 and Endpoint Security E80.92.

0 Kudos
Highlighted
Advisor
@Daniel_Peschke1. Did you find a solution fot this issue? i also have the same issue.
0 Kudos
Highlighted

Hello,

 

It took me some days to notice, but we had a misconfigured NAT rule. A static NAT from gateway IP to a server in the DMZ.

0 Kudos
Explorer

Hello,

 

Did you find a solution for this?

0 Kudos
Highlighted
Explorer

I had the same problem on R80.10 and then R80.30 gateway. It was solved today with TAC (SR 6-0001915434).

Needs to change the parameter on file $FWDIR/boot/modules/fwkern.conf:

natt_probe_do_in_kernel=0

View solution in original post

0 Kudos