Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EricR
Participant
Jump to solution

fresh installation VPN client - connectivity with the VPN service is lost

 

Hi guys,

I tried to installed latest version of checkpoint Remote Access Clients for Windows E86.60 and 86.70 (MSI files).
Installation finished but get immediately popup notfication of "connectivity with the VPN service is lost"

 
 

2022-10-10 17_31_08-Matrix42 Management Console.png

I see these error events...

 

If I try an older version like E86.50 on the same device it works!
Please tell me what I am doing wrong? 

 

Tanks & Regards,
Eric

0 Kudos
2 Solutions

Accepted Solutions
AndreiR
Employee
Employee

Hi,

Here is the update from VPN RnD team. It is also documented in sk180845.

 

Root cause and symptoms

The issue happened due to expiration of certificate which was used for signing firewall driver vsdatant.sys. Validity period of this certificate ended on April 8, 2023, VPN client became unable to initiate firewall module and failed with error “Connectivity with VPN Service is lost”. In addition, following lines can be found in trac.log:

[ 47972 44400][9 Apr 10:16:03][TR_FIREWALL] CFirewallWrapper::InitFirewallMonitor: ERROR - lpFwMonitor_Start failed, try to wait for the service initialization
[ 47972 44400][9 Apr 10:16:03][TR_UTILS] WaitForServiceStart("vsmon")
[ 47972 44400][9 Apr 10:16:03][TR_UTILS] WaitForServiceStart: OpenService("vsmon") failed: The specified service does not exist as an installed service.
[ 47972 44400][9 Apr 10:16:03][TR_FIREWALL] CFirewallWrapper::InitFirewallMonitor: waiting for vsmon initialization failed

 

Affected versions

Endpoint Security VPN, versions E86.60 and E86.70

The issue impacts only “Endpoint Security VPN” flavor of standalone VPN clients which contains firewall module. Other flavors of standalone VPN client as well as Harmony Endpoint Protection (full suite) are not affected.

 

Mitigation

The only solution is to upgrade VPN client to newer version.

We are in RnD will improve our internal processes and enforce strict control over certificates we use inside our products.

View solution in original post

0 Kudos
(2)
EricR
Participant

Hi,

issue seems to be resolved now! 
I used a "trac.config" and "trac.defaults" from a previous checkpoint installation. This is not supported!
I did a new clean installation with the latest checkpoint vpn client and configured all the settings in UI. After that I exported from their both config files (trac.config" and "trac.defaults) and used these ones with the vpn-config tool to create a custom MSI.

I want to say thanks to checkpoint support! 


Regards,
Eric

View solution in original post

0 Kudos
16 Replies
PhoneBoy
Admin
Admin

Recommend opening a TAC case to assist with debugging this.

0 Kudos
EricR
Participant

OK, I will do.

0 Kudos
paredes_h
Explorer

Hello,

Did you ever get this resolved? If so, how?

0 Kudos
PhoneBoy
Admin
Admin

We've had several reports of this over the last weekend.
Specifically, it appears to be related to the standalone VPN editions of E86.60 and E86.70 and the reported timing was just before/after Patch Tuesday for April.
Full Harmony Endpoint installations appear to be unaffected.

We are still investigating what exactly has triggered the issue and its potential scope.
Some customers reported the issue was fixed by installing either E86.61 or E86.71, both of which replaced their respective versions in October 2022.
Recommend applying these versions and contacting the TAC if this doesn't resolve the issue: https://help.checkpoint.com 

0 Kudos
jaruna
Explorer

Hello,

I am getting the same message "connectivity with the vpn service is lost".

I tried versions:

86.50

87.20

87.10

Please give me solution. 

PS Fresh installation of Windows 11.

0 Kudos
PhoneBoy
Admin
Admin

To investigate this issue, you will need to open a TAC case: https://help.checkpoint.com 

0 Kudos
EricR
Participant

Hi,

yes, I opened a case. Support was able to reproduce the issue when the checkpoint vpn will be installed while client has no internet connectivity. This is often a case in our environment because our clients are not allow to brows internet without user authentication.

This issue doesn't happened with older checkpoint client releases.
It don't know if they have fix the issue already!?



 

0 Kudos
PhoneBoy
Admin
Admin

Until we know the exact root cause, it's difficult to say the issue is "fixed."
The fact this issue is easy reproducible will certainly help in that.

0 Kudos
AndreiR
Employee
Employee

Hi,

Here is the update from VPN RnD team. It is also documented in sk180845.

 

Root cause and symptoms

The issue happened due to expiration of certificate which was used for signing firewall driver vsdatant.sys. Validity period of this certificate ended on April 8, 2023, VPN client became unable to initiate firewall module and failed with error “Connectivity with VPN Service is lost”. In addition, following lines can be found in trac.log:

[ 47972 44400][9 Apr 10:16:03][TR_FIREWALL] CFirewallWrapper::InitFirewallMonitor: ERROR - lpFwMonitor_Start failed, try to wait for the service initialization
[ 47972 44400][9 Apr 10:16:03][TR_UTILS] WaitForServiceStart("vsmon")
[ 47972 44400][9 Apr 10:16:03][TR_UTILS] WaitForServiceStart: OpenService("vsmon") failed: The specified service does not exist as an installed service.
[ 47972 44400][9 Apr 10:16:03][TR_FIREWALL] CFirewallWrapper::InitFirewallMonitor: waiting for vsmon initialization failed

 

Affected versions

Endpoint Security VPN, versions E86.60 and E86.70

The issue impacts only “Endpoint Security VPN” flavor of standalone VPN clients which contains firewall module. Other flavors of standalone VPN client as well as Harmony Endpoint Protection (full suite) are not affected.

 

Mitigation

The only solution is to upgrade VPN client to newer version.

We are in RnD will improve our internal processes and enforce strict control over certificates we use inside our products.

0 Kudos
(2)
paredes_h
Explorer

Thank you!

0 Kudos
EricR
Participant

Hi Andrei,

I tested the lastet version E87.30 (98.61.4715) and can still see the same behavior.
My client don't have a active internet connection. After few minutes my virtual machine crashes!


0 Kudos
PhoneBoy
Admin
Admin

Please open a TAC case: https://help.checkpoint.com

0 Kudos
AlSeOr
Explorer

Hi, Have you found a solution?

0 Kudos
EricR
Participant

Hi,
support ticket is still open --> SR#6-0003654968

I sent them my custom MSI files to reproduce the issue. I think the issue is because we configured a preconfigured VPN site which can't be reach from our deployment network. So this issue doesn't not exist when installing checkpoint vpn without a preconfigured or you have to take care that after installing your vpn site is reachable.

This wasn't an requirement in the past and I hope checkpoint will fix it. 

0 Kudos
EricR
Participant

Hi all,
I got a response from the support engineer. They were able to reproduce the issue on a lab and will working on investigating.
I hope they will fix it asap.


0 Kudos
EricR
Participant

Hi,

issue seems to be resolved now! 
I used a "trac.config" and "trac.defaults" from a previous checkpoint installation. This is not supported!
I did a new clean installation with the latest checkpoint vpn client and configured all the settings in UI. After that I exported from their both config files (trac.config" and "trac.defaults) and used these ones with the vpn-config tool to create a custom MSI.

I want to say thanks to checkpoint support! 


Regards,
Eric

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events