Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ziggurat
Participant

VPN not connecting on train wifi

This is an issue that's been ongoing for a while and has now been encountered by our IT Director, therefore naturally needs urgent attention!

This is the summary of the experience experience:
-------------------------------
I have experienced this twice on two different Virgin trains. Basically when you try and connect to the VPN you put in the RSA code, the VPN detects proxy settings, then it tries to connect to the Gateway, the response is the gateway policy has changed, it tries again to connect to the Gateway and then fails with the message the gateway is not responding. I then try to connect with my hotspot on my iPhone. That connects (although it does come up with the message that the gateway policy has changed) but it then tries to reconnect and is successful. I was assuming that it could be the port that the VPN is using and couldn’t get through. However if I remain connected to the VPN on the iPhone hotspot and quickly connect to the Virgin train wifi the VPN connection drops, as you would expect, and then reconnects successfully.
-------------------------------

Further update from 26/02/2020 (logs attached)

-------------------------------
In summary on the logs from 7:53 I connected to train wifi, established I had wifi working. I then tried to connect to the VPN and had connect failed and it looked like at authentication. The message was couldn’t contact site. The logs have that end to end.

I then hotspotted to the phone, connected to the internet again, started the VPN, connected to the VPN successfully. I then switched back to the Train Wifi and the VPN obviously paused because it wasn’t connected to the internet but then once back on the train wifi and the internet connection was established the VPN reconnected. I have attached the logs at 7:57 which follows this second series of steps.

It is like the authentication part of the VPN is blocked but why? Usually this is due to different ports blocked or similar.
-------------------------------

I've attached logs for your reference. Are we able to remove the retry gateway setting? I've checked Visitor Mode on the Checkpoint and it's set to port 443 - I believe this is right but would be grateful if someone could confirm.

 

Many thanks in advance

B

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

If this needs urgent attention, I highly recommend getting the TAC involved ASAP, if you haven't already.
I suspect that whatever Virgin Trains is doing with their WiFi does something with the HTTPS traffic occurring during authentication to the point where it fails.
Obviously your own hotspot isn't doing this.
Only thing I can suggest is to try disabling Visitor Mode and see if that helps.
0 Kudos
ziggurat
Participant

Hi everyone

 

I have a bit of a strange one which I hope someone can help with. I have experienced this twice on two different Virgin trains.  Basically when you try and connect to the VPN you put in the RSA code, the VPN detects proxy settings, then it tries to connect to the Gateway, the response is the gateway policy has changed, it tries again to connect to the Gateway and then fails with the message the gateway is not responding.  I then try to connect with my hotspot on my iPhone.  That connects (although it does come up with the message that the gateway policy has changed) but it then tries to reconnect and is successful.  I was assuming that it could be the port that the VPN is using and couldn’t get through. However if I remain connected to the VPN on the iPhone hotspot and quickly connect to the Virgin train wifi the VPN connection drops, as you would expect, and then reconnects successfully.

 

Are there any other ports that the tunnel would initiate on besides 443? Or could this be an issue with the trains wifi configuration? 

 

I've been looking into the Visitor Mode setting which requires making a TCP connection to the gateway on port 443 as long as my gateway is listening on the IP of my WAN interface. Is this right?

 

Hope someone can help with this.


Many thanks

0 Kudos
ziggurat
Participant

This is how visitor mode is currently configured. Should I change it to a specific port or is 'All Interfaces' sufficient?

0 Kudos
PhoneBoy
Admin
Admin

I would suspect something with the configuration of the Virgin WiFi in this case.
You'd probably have to use tcpdump or similar to work out exactly what's going on.
0 Kudos
ziggurat
Participant

Thanks so much for the reply PhoneBoy. I took some logs while the issue occurred on 26 Feb. I'm not exactly sure what I should be looking for in these logs 😞 Could you help?

0 Kudos
PhoneBoy
Admin
Admin

Hi, please do not create more than one thread on the same topic.
I have merged the two threads so everything's in the same place.
Unfortunately, what you provided doesn't contain useful information to the issue at hand.
Please enable logging for the VPN and try again as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Like I said, though, your best bet is to work with the TAC on this.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events