Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Conor_Mulcahy
Contributor
Jump to solution

VPN Licesning

Hi, having an issue with people who are connected using endpoint clients with full office mode ip addresses, when people are working away on the VPN it disconnects the RDP session or whatever application is open, the VPN client for the most part seems to stay connected and the connectivity will recover after a minute or two.

I've ran script below on the management server and i can see 225 VPN licenses but there is now around 250 connecting at peak hours, it doesn't happen at non peak hours. CPU and memory is fine.

Is there anything logged to Smartconsole when you exceed your licencing for VPN. How can i prove this is or is not a licensing issue, my understanding was if you exceed the licensing limit your VPN client will not connect at all.

Have a TAC case open but just looking for other peoples opinions and experience with this?

Thanks

 

printf '%.s-' {1..78};echo;echo 'Remote Access VPN License Summary';printf '%.s-' {1..78};echo;echo -n 'Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : '; cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + $1 } END { print total }';echo -n 'Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : '; cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total + $1 } END { print total }'; echo -n 'SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) : '; cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + $1 } END { print total2 }';echo -n 'Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : ';cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + $1 } END { print total3 }';printf '%.s-' {1..78};echo;
------------------------------------------------------------------------------
Remote Access VPN License Summary
------------------------------------------------------------------------------
Secure Client licenses on SMS (CPVP-VSC-5-NGX-XXX) : 200
Secure Client licenses on SMS (CPVP-VSC-XXX-NGX) : 25
SNX (not MOB) licenses on SMS (CPVP-SNX-XXX-NGX) :
Mobile Access Blade licenses on SMS (CPSB-SSLVPN-XXX) : 5
------------------------------------------------------------------------------

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Conor_Mulcahy 

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x   - Mobile User License Tool - replaced "dtps lic" 

If you want to see all licenses of the Endpoint Security VPN Client  old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

19 Replies
Timothy_Hall
Legend Legend
Legend

The quickest and easiest way to confirm if it is a license limit issue is to apply a 30-day eval license and see if the behavior goes away.  Your Check Point reseller/partner should be able to get you an unlimited 30-day eval license.  In my experience when license limits are exceeded it will usually be logged somewhere, but often in some obscure log file somewhere on the gateway.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Conor_Mulcahy
Contributor

Thanks good idea, pity there is no easy to access log on this one. The 30 day eval gives you unlimited VPN users? Have access to Usercenter so can do that one myself.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes unlimited users (or "sufficiently" high like 5000 users for some features), here is what an "All-in-One" 30-day eval has in it:

  • For the SmartCenter:
    CPSM-C-U CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-PRVS CPSB-UDIR CPSB-WKFL-100 CPSB-WS CPSB-MPTL  CPVP-SNX-U-NGX  CPSB-SWB CPSB-ADNC-M CPSB-RPRT-U CPSB-EVCR-U  CPSB-SSLVPN-MOBMAIL+5000  CPSB-COMP-150

  • For the Firewall:
    CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP  CPSB-SSLVPN-U  CPSB-IA CPSB-ADNC CPSG-VSX-25S  CPSB-SWB  CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Conor_Mulcahy
Contributor

Cheers I will try that Monday, have your book by the way, it's essential if your working with Checkpoint.

PhoneBoy
Admin
Admin
If you're having a license issue, end users should notice errors about Office Mode IPs.
Also when you're looking at various log files, you will see messages that refer to Office Mode and not having enough Office Mode IPs or similar.
0 Kudos
Conor_Mulcahy
Contributor

Thanks, when you say log files do you mean in smartlog or where will I see them?

0 Kudos
PhoneBoy
Admin
Admin
I believe they will show in SmartLog and likely $FWDIR/log/vpnd.elg
0 Kudos
Conor_Mulcahy
Contributor

That's great I'll check both places, cheers for the help on this.

Fraol14
Explorer

which license should be fixed for this issue (Office Mode and not having enough Office Mode IPs)?

0 Kudos
PhoneBoy
Admin
Admin

There are three types of licensing that impact the number of Office Mode IPs:

  • Mobile Access Blade (CPSB-MOB-x)
  • Harmony Endpoint licenses (CP-HAR-EP-x)
  • Legacy ACCESS SKUs (CPEP-ACCESS-x)

Note this is in terms of current SKUs, legacy SKUs also impact this. 

0 Kudos
Fraol14
Explorer

This issue is occurring when more than 15 remote VPN users are connected simultaneously. 

0 Kudos
PhoneBoy
Admin
Admin

By default, your gateway include a license for 5 concurrent Remote Access users (CPSB-SSLVPN-5 in the license string).
The fact the gateway is allowing 15 concurrent users might be considered a bug.
In any case, you will need to purchase an additional license to support more concurrent users.
For Office Mode support, you need one of three things:

  • Harmony Endpoint licensing (includes Remote Access)
  • Mobile Access Blade (can be purchased for 50 users, 200 users, or unlimited)
  • CPEP-ACCESS-x (hidden SKU that includes Endpoint Firewall and Compliance, required for Mac VPN users not using SNX)

Please contact your Check Point partner for more information.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Conor_Mulcahy 

The oneliner ( One-liner for Remote Access VPN License Summary) you copied is from me. It is the previous version of a more comprehensive script. Here you can find the newer version, which also shows the current numbers of connections from the gateway:
R80.x   - Mobile User License Tool - replaced "dtps lic" 

If you want to see all licenses of the Endpoint Security VPN Client  old Secure Client, you must add up the following licenses:

CPVP-VSC-5-NGX-xxx
CPVP-VSC-xxx-NGX

"fw tab -t userc_users -s" shows you the used licenses on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Conor_Mulcahy
Contributor

Thanks for that, that gives them 225 but there was 260 connected the other day.

People were getting disconnected at times but were not getting denied an IP from office mode.

I will check again on Monday with your script, thanks.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

The table "userc_users" can be different from "om_assigned_ips". Therefore there may be more entries.

It is also possible that you have an unlimited license.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Conor_Mulcahy
Contributor

Wouldn't even the one script bring back that info if there was an unlimited lic?

0 Kudos
PhoneBoy
Admin
Admin
The script should work either way.
Also the tables should return results if users are connected regardless of your license.
0 Kudos
Conor_Mulcahy
Contributor

Sorry what do mean by tables, is this in script or is it somewhere else I can look?

0 Kudos
PhoneBoy
Admin
Admin
Any fw tab command is giving you output related to tables we maintain during runtime.
The scripts referred to in this thread are, in part, getting information from these same tables.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events