Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN Licesning

Jump to solution

Hi, having an issue with people who are connected using endpoint clients with full office mode ip addresses, when people are working away on the VPN it disconnects the RDP session or whatever application is open, the VPN client for the most part seems to stay connected and the connectivity will recover after a minute or two.

I've ran script below on the management server and i can see 225 VPN licenses but there is now around 250 connecting at peak hours, it doesn't happen at non peak hours. CPU and memory is fine.

Is there anything logged to Smartconsole when you exceed your licencing for VPN. How can i prove this is or is not a licensing issue, my understanding was if you exceed the licensing limit your VPN client will not connect at all.

Have a TAC case open but just looking for other peoples opinions and experience with this?

Thanks

 

printf '%.s-' {1..78};echo;echo 'Remote Access VPN License Summary';printf '%.s-' {1..78};echo;echo -n 'Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : '; cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + $1 } END { print total }';echo -n 'Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : '; cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total + $1 } END { print total }'; echo -n 'SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) : '; cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + $1 } END { print total2 }';echo -n 'Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : ';cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + $1 } END { print total3 }';printf '%.s-' {1..78};echo;
------------------------------------------------------------------------------
Remote Access VPN License Summary
------------------------------------------------------------------------------
Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : 200
Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : 25
SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) :
Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : 5
------------------------------------------------------------------------------

1 Solution

Accepted Solutions
Highlighted

Hi @Conor_Mulcahy 

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x   - Mobile User License Tool - replaced "dtps lic" 

If you want to see all licenses of the Endpoint Security VPN Client  old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

View solution in original post

Tags (1)
15 Replies

The quickest and easiest way to confirm if it is a license limit issue is to apply a 30-day eval license and see if the behavior goes away.  Your Check Point reseller/partner should be able to get you an unlimited 30-day eval license.  In my experience when license limits are exceeded it will usually be logged somewhere, but often in some obscure log file somewhere on the gateway.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Thanks good idea, pity there is no easy to access log on this one. The 30 day eval gives you unlimited VPN users? Have access to Usercenter so can do that one myself.

0 Kudos
Highlighted

Yes unlimited users (or "sufficiently" high like 5000 users for some features), here is what an "All-in-One" 30-day eval has in it:

  • For the SmartCenter:
    CPSM-C-U CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-PRVS CPSB-UDIR CPSB-WKFL-100 CPSB-WS CPSB-MPTL  CPVP-SNX-U-NGX  CPSB-SWB CPSB-ADNC-M CPSB-RPRT-U CPSB-EVCR-U  CPSB-SSLVPN-MOBMAIL+5000  CPSB-COMP-150

  • For the Firewall:
    CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP  CPSB-SSLVPN-U  CPSB-IA CPSB-ADNC CPSG-VSX-25S  CPSB-SWB  CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT
Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted

Cheers I will try that Monday, have your book by the way, it's essential if your working with Checkpoint.

Highlighted
Admin
Admin
If you're having a license issue, end users should notice errors about Office Mode IPs.
Also when you're looking at various log files, you will see messages that refer to Office Mode and not having enough Office Mode IPs or similar.
0 Kudos
Highlighted

Thanks, when you say log files do you mean in smartlog or where will I see them?

0 Kudos
Highlighted
Admin
Admin
I believe they will show in SmartLog and likely $FWDIR/log/vpnd.elg
0 Kudos
Highlighted

That's great I'll check both places, cheers for the help on this.

Highlighted

Hi @Conor_Mulcahy 

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x   - Mobile User License Tool - replaced "dtps lic" 

If you want to see all licenses of the Endpoint Security VPN Client  old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

View solution in original post

Tags (1)
Highlighted

Thanks for that, that gives them 225 but there was 260 connected the other day.

People were getting disconnected at times but were not getting denied an IP from office mode.

I will check again on Monday with your script, thanks.

0 Kudos
Highlighted

The table "userc_users" can be different from "om_assigned_ips". Therefore there may be more entries.

It is also possible that you have an unlimited license.

 

 

Tags (1)
0 Kudos
Highlighted

Wouldn't even the one script bring back that info if there was an unlimited lic?

0 Kudos
Highlighted
Admin
Admin
The script should work either way.
Also the tables should return results if users are connected regardless of your license.
0 Kudos
Highlighted

Sorry what do mean by tables, is this in script or is it somewhere else I can look?

0 Kudos
Highlighted
Admin
Admin
Any fw tab command is giving you output related to tables we maintain during runtime.
The scripts referred to in this thread are, in part, getting information from these same tables.