Solved: Re: Windows 11 24H2 Remote Access VPN

preverite · ‎2024-10-09

Since the general availability of Windows 11 24H2, we're noticing around 50% of Windows machines updated to 24H2 are failing to connect with the Remote Access VPN.

I noticed that with the release of Enterprise Endpoint Security E88.41 (https://support.checkpoint.com/results/sk/sk182237) issues with W11 24H2 were addressed, however the latest version of Remote Access VPN is 88.40.

Are other people experiencing similar issues? Since the RA VPN hasn't been updated but the Endpoint Security client has, I'm wondering whether its known there are issues with the RA VPN.

Valentin1 · ‎2024-10-10

Please, can you try to set the "route_conflict_resolution_method" parameter to "modify" in trac_client_1.ttm file on the gateway and install policy. End users should reconnect in order new value to take effect. Here is excerpt of TTM code:

:route_conflict_resolution_method (
    :gateway (
        :default (modify)
    )
)

Trac.defaults has the same option

Documented in: https://support.checkpoint.com/results/sk/sk182749

View solution in original post

_Val_ · ‎2024-10-09

Can you please explain what you mean by your statement: "however the latest version of Remote Access VPN is 88.40."

All Endpoint Security releases and latest versions are listed in sk117536, and E88.40 is definitely not the latest release for Windows.

Concerning your issue, you are advised to upgrade your Endpoint Security Client on the problematic machines to E88.41 or later.

preverite · ‎2024-10-09

Hi chief, our issue is we don't use the Endpoint Security Client, but the standalone remote access VPN client.

On the 88.41 release page the Standalone VPN Client is 88.40

So I'm not sure if this (1) an oversight, (2) a new version will follow later, or (3) no issues are expected with v88.40 of the VPN client with W11 24H2.

PhoneBoy · ‎2024-10-09

The bugs fixed in E88.41 are relevant to the full Endpoint only, I believe.
Does the problem exist in E88.60 (latest for Windows)?

George_Casper · ‎2024-10-09

We're having the issue with 24H2 and all E88.x versions. It is hardware independent, multiple makes/model laptops, and also affected our M365 Cloud PC VM's. Rollback of 24H2 seems to be fixing it.

I have TAC SR open since Monday, supplied logs from both sides including Zoom support session, awaiting response. R&D needs to get on this right away.

TT1 · ‎2024-10-09

We are seeing an issue with 24h2 and vpn as well, have tried the latest versions e88.40,41,60 vpn will connect but then drops the network connection in 10-20 seconds. disconnect vpn, then you can reconnect wifi or ethernet

George_Casper · ‎2024-10-09

Rollback to 23H2 is the only option to fix. E88.41 or above will only work with 24H2 Early Access versions from Microsoft. 24H2 GA released by Microsoft October 1 must have a major change in it to break VPN. Checkpoint support holding firm on policy that they require 2 months from release of GA version from Microsoft to support it. Hoping Checkpoint can do better but that's their official policy.

See Phase 3 in https://support.checkpoint.com/results/sk/sk115192

Ddoughty

This is the only work-a-round I was able to come up with as well. Wondering if you came a crossed a more feasible fix?

jandvorak · ‎2024-10-10

Same issue. After disconnecting eth/wifi doesn't work. You have to either reboot the computer (non-admin) or ipconfig /release, renew as admin from cmd

Valentin1 · ‎2024-10-10

Please, can you try to set the "route_conflict_resolution_method" parameter to "modify" in trac_client_1.ttm file on the gateway and install policy. End users should reconnect in order new value to take effect. Here is excerpt of TTM code:

:route_conflict_resolution_method (
    :gateway (
        :default (modify)
    )
)

Trac.defaults has the same option

Documented in: https://support.checkpoint.com/results/sk/sk182749

sid_cp · ‎2024-10-14

sk182749

preverite · ‎2024-10-14

Thank you. This appears to be working for us (around 20 endpoints) - we will resume the rollout to another testing group.

peppereg · ‎2024-10-14

hello,

I would change my trac.defaults. file.

now I see the following string:

route_conflict_resolution_method STRING "delete_create" GLOBAL 1

how do I have to change it with the reported parameters?

thx

George_Casper · ‎2024-10-14

Is Checkpoint considering sk182749 a temporary work around or permanent fix? Meaning will a client side fix be coming or not?

G_W_Albrecht · ‎2024-10-14

Yes in GA version - we still have EA version!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Riki

Hi, I keep coming back to this forum almost daily now. Any idea when the new Check Point Remote Access VPN Client will be available? E86.80 still doesn't work with Windows 24h2. I tried to locate trac.default and change the "route_conflict_resolution_method" but that doesn't make any difference.

Thank you

PhoneBoy

E86.80 or E88.60?
The former doesn't support Windows 11, and the workaround only applies to E88.40 - E88.60.

In any case, we release new Endpoint/VPN clients every month or so.
The next release (E88.70 for Windows) is expected in the next couple of weeks and is expected to include a fix for this.

Riki

Thank you for your prompt reply; I appreciate it.

I did mean 86.80 - in the end, that's the only one that is offered (for Windows) when I try to download it from https://www.checkpoint.com/quantum/remote-access-vpn/#downloads

The file name says "E86.80_CheckPointVPN.msi"

I am also not sure we talk about the same thing since you suggest that new client is released every month or so. But the download page for Remote Access VPN Client (https://support.checkpoint.com/results/download/125581) says it has been published in 2022...

I'm not sure what to make of this. If there is some other page where to download the client, please let me know - and I'll be waiting there for the E88.70.

Thanks a bunch!

Riki

Found this page I wasn't aware of https://sc1.checkpoint.com/documents/E88.x/EN/Remote_Access_VPN_Clients_for_Windows_RN/Content/Topic...

So I guess here.. Alright. Then I'll keep checking for 88.70

PhoneBoy

What is linked on checkpoint.com is definitely not the most recent.
You can download E88.60 from here (under Standalone clients): https://support.checkpoint.com/results/sk/sk182468

PhoneBoy · ‎2024-10-14

Assuming this is the true solution to the problem, I would expect us to set route_conflict_resolution_method to modify as the default upon installation of future client versions.
It could also be deployed on the gateway side by including the relevant setting in trac_client_1.ttm (it's currently not specified at all), possibly in a JHF/future version.

George_Casper · ‎2024-10-14

Would like to understand more about this setting change and any potential side effects before changing it globally for all users. Has this been tested by Checkpoint to be appropriate for other common scenarios including route all traffic through gateway (with Exclusion groups and other variations), MacOS users, etc.? Don't want to fix one thing and break another.

PhoneBoy · ‎2024-10-14

What this parameter does is change how routes are created on the client once you connect to the VPN.
With the default setting (delete_create), your conflicting local routes are deleted and recreated with lower priority along with the VPN specific routes.
With the "modify" setting, the existing conflicting routes are modified to a lower priority and the new VPN specific routes are added.

I can't say to what extent this has been tested.
However, on the surface, it appears it should not cause an impact on other user/usage types.

PhoneBoy · ‎2024-10-14

I assume you change "delete_create" to "modify"

Bruno_Ramos · ‎2024-10-16

https://support.checkpoint.com/results/sk/sk75221

shenanigans

Brilliant thank you, I can confirm this has worked for me!

route_conflict_resolution_method STRING "modify" GLOBAL 1

Are you a member of CheckMates?

Windows 11 24H2 Remote Access VPN