Solved: Re: VPN Licesning

Conor_Mulcahy · ‎2020-03-28

Hi, having an issue with people who are connected using endpoint clients with full office mode ip addresses, when people are working away on the VPN it disconnects the RDP session or whatever application is open, the VPN client for the most part seems to stay connected and the connectivity will recover after a minute or two.

I've ran script below on the management server and i can see 225 VPN licenses but there is now around 250 connecting at peak hours, it doesn't happen at non peak hours. CPU and memory is fine.

Is there anything logged to Smartconsole when you exceed your licencing for VPN. How can i prove this is or is not a licensing issue, my understanding was if you exceed the licensing limit your VPN client will not connect at all.

Have a TAC case open but just looking for other peoples opinions and experience with this?

Thanks

printf '%.s-' {1..78};echo;echo 'Remote Access VPN License Summary';printf '%.s-' {1..78};echo;echo -n 'Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : '; cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + $1 } END { print total }';echo -n 'Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : '; cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total + $1 } END { print total }'; echo -n 'SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) : '; cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + $1 } END { print total2 }';echo -n 'Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : ';cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + $1 } END { print total3 }';printf '%.s-' {1..78};echo;
------------------------------------------------------------------------------
Remote Access VPN License Summary
------------------------------------------------------------------------------
Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : 200
Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : 25
SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) :
Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : 5
------------------------------------------------------------------------------

HeikoAnkenbrand · ‎2020-03-28

Hi @Conor_Mulcahy

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x - Mobile User License Tool - replaced "dtps lic"

If you want to see all licenses of the Endpoint Security VPN Client old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

Timothy_Hall · ‎2020-03-28

The quickest and easiest way to confirm if it is a license limit issue is to apply a 30-day eval license and see if the behavior goes away. Your Check Point reseller/partner should be able to get you an unlimited 30-day eval license. In my experience when license limits are exceeded it will usually be logged somewhere, but often in some obscure log file somewhere on the gateway.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Conor_Mulcahy · ‎2020-03-28

Thanks good idea, pity there is no easy to access log on this one. The 30 day eval gives you unlimited VPN users? Have access to Usercenter so can do that one myself.

Timothy_Hall · ‎2020-03-28

Yes unlimited users (or "sufficiently" high like 5000 users for some features), here is what an "All-in-One" 30-day eval has in it:

For the SmartCenter:
CPSM-C-U CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-PRVS CPSB-UDIR CPSB-WKFL-100 CPSB-WS CPSB-MPTL CPVP-SNX-U-NGX CPSB-SWB CPSB-ADNC-M CPSB-RPRT-U CPSB-EVCR-U CPSB-SSLVPN-MOBMAIL+5000 CPSB-COMP-150
For the Firewall:
CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Conor_Mulcahy · ‎2020-03-28

Cheers I will try that Monday, have your book by the way, it's essential if your working with Checkpoint.

PhoneBoy · ‎2020-03-28

If you're having a license issue, end users should notice errors about Office Mode IPs.
Also when you're looking at various log files, you will see messages that refer to Office Mode and not having enough Office Mode IPs or similar.

Conor_Mulcahy · ‎2020-03-28

Thanks, when you say log files do you mean in smartlog or where will I see them?

PhoneBoy · ‎2020-03-28

I believe they will show in SmartLog and likely $FWDIR/log/vpnd.elg

Conor_Mulcahy · ‎2020-03-28

That's great I'll check both places, cheers for the help on this.

Fraol14 · ‎2022-11-01

which license should be fixed for this issue (Office Mode and not having enough Office Mode IPs)?

PhoneBoy · ‎2022-11-01

There are three types of licensing that impact the number of Office Mode IPs:

Mobile Access Blade (CPSB-MOB-x)
Harmony Endpoint licenses (CP-HAR-EP-x)
Legacy ACCESS SKUs (CPEP-ACCESS-x)

Note this is in terms of current SKUs, legacy SKUs also impact this.

Fraol14 · ‎2022-11-02

This issue is occurring when more than 15 remote VPN users are connected simultaneously.

PhoneBoy · ‎2022-11-03

By default, your gateway include a license for 5 concurrent Remote Access users (CPSB-SSLVPN-5 in the license string).
The fact the gateway is allowing 15 concurrent users might be considered a bug.
In any case, you will need to purchase an additional license to support more concurrent users.
For Office Mode support, you need one of three things:

Harmony Endpoint licensing (includes Remote Access)
Mobile Access Blade (can be purchased for 50 users, 200 users, or unlimited)
CPEP-ACCESS-x (hidden SKU that includes Endpoint Firewall and Compliance, required for Mac VPN users not using SNX)

Please contact your Check Point partner for more information.

HeikoAnkenbrand · ‎2020-03-28

Hi @Conor_Mulcahy

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x - Mobile User License Tool - replaced "dtps lic"

If you want to see all licenses of the Endpoint Security VPN Client old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Conor_Mulcahy · ‎2020-03-28

Thanks for that, that gives them 225 but there was 260 connected the other day.

People were getting disconnected at times but were not getting denied an IP from office mode.

I will check again on Monday with your script, thanks.

HeikoAnkenbrand · ‎2020-03-29

The table "userc_users" can be different from "om_assigned_ips". Therefore there may be more entries.

It is also possible that you have an unlimited license.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Conor_Mulcahy · ‎2020-03-29

Wouldn't even the one script bring back that info if there was an unlimited lic?

PhoneBoy · ‎2020-03-29

The script should work either way.
Also the tables should return results if users are connected regardless of your license.

Conor_Mulcahy · ‎2020-03-29

Sorry what do mean by tables, is this in script or is it somewhere else I can look?

PhoneBoy · ‎2020-03-29

Any fw tab command is giving you output related to tables we maintain during runtime.
The scripts referred to in this thread are, in part, getting information from these same tables.

Are you a member of CheckMates?

VPN Licesning