Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JanCh
Participant
Jump to solution

macOS Monterey: VPN client issues

Hello everyone,


Anybody else has a problem with Checkkpoint VPN after upgrade to macOS Monterey? I have the latest available version of VPN client. 


My VPN works fine only during the very first connection after Mac reboot.

Then the connection is established but without functional access to sites and RDPs. 

 

Thanks!

2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Refer to sk115192 - Check Point Endpoint Security Client Support Schedule for New Operating Systems.

There should be a RA VPN GA release within 2 months of OS GA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
rmeznaric
Participant

Hi, 

 

I found a temporary workaround for those who have this issue. Using direct IPs does work on my Mac with MacOs Monteye and the latest Checkpoint VPN client. So for the time being use direct IPs, this should enable you to wait for the new release with direct support for MacOs Monteye and not to do a downgrade to Big Sur.

 

Br

View solution in original post

(1)
23 Replies
PhoneBoy
Admin
Admin

I’m fairly certain we don’t have formal support macOS Monterey just yet.
Don’t have an exact timeframe at the moment, but I suspect it will probably come in the next few weeks.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Refer to sk115192 - Check Point Endpoint Security Client Support Schedule for New Operating Systems.

There should be a RA VPN GA release within 2 months of OS GA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

More precisely, E85.30 should be the first version with macOS Monterey support.
Timeline is, as I said, the next few weeks. 

0 Kudos
the_rock
Legend
Legend

I have customer using this and they dont have any issues, but I can confirm with them.

0 Kudos
rmeznaric
Participant

Hi,

 

I`m also having problems on MacOS Monterey. The client "connects", but the connection actually doesnt works as no packages are received or send despite the connection "being up" (see attached screenshot). This is a major blocker and I would really appriciate that this is fixed asap.

 

Best Regards

 
0 Kudos
PhoneBoy
Admin
Admin

As noted above, this is currently not supported.
We will release a new version in the coming weeks that will have support for macOS Monterey.

0 Kudos
Alex_Sazonov
Employee
Employee

Hi @rmeznaric 

What is the client version you have? Do you see any packets in tcpdump?

0 Kudos
rmeznaric
Participant

Hi @Alex_Sazonov ,

 

I`m using the latest available on the official web page: E84.70 Build 986200225 (see attached screenshot).

I`ve tried with RDP and SSH connections and also tried to ping IPs, but nothing works.

 

In which log file can I see that? I have no idea what log entry should be there as I didn`t yet checked log files where a client works.

 

Br

0 Kudos
rmeznaric
Participant

Hi,

 

I`m using the latest version of the CheckPoint VPN client: E84.70 Build 986200225 (see screenshot).

 

I`ve tried with RDP and SSH connections and even pinging IPs, but it just doesn't work. In what exact logs do I need to check and what exactly am I searching for? Didn`t check the logs before this problem occur.

 

Br

 

0 Kudos
Alex_Sazonov
Employee
Employee

@rmeznaric 

Run this command and check e.g. SSH  on which interface you see SYN packets. In my case you can see packets are going out of en0 interface:

$ sudo tcpdump -ni all -k IN port 22
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on all, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
13:09:30.433130 (en0, proc ssh) IP 10.10.10.102.54635 > 142.251.32.206.22: Flags [S], seq 2664821152, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1890533870 ecr 0,sackOK,eol], length 0
13:09:31.433075 (en0, proc ssh) IP 10.10.10.102.54635 > 142.251.32.206.22: Flags [S], seq 2664821152, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1890534870 ecr 0,sackOK,eol], length 0
0 Kudos
rmeznaric
Participant

Hi,

With the hostname:

As you mentioned I added. the tcpdump command for port 22 and then tried to connect over SSH over Termius (an App I use for managing different servers) to one of my servers when Checkpoint VPN client was "connected". Additionally, I tried to SSH from Terminal and in both cases, I didn't get any entry into the console.

sudo tcpdump -ni all -k IN port 22

tcpdump: data link type PKTAP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on all, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes

Pinging the hostname also doest work.

With the IP:

I've tried to SSH with the IP and it is actually working and ping also works. I must admit I didn`t try to use the direct IP yesterday.

 

udo tcpdump -ni all -k IN port 22   

tcpdump: data link type PKTAP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on all, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes

12:52:32.876062 (utun3, proc ssh) IP 10.12.135.23.58962 > 10.216.159.37.22: Flags [SEW], seq 281043968, win 65535, options [mss 1310,nop,wscale 6,nop,nop,TS val 1516873318 ecr 0,sackOK,eol], length 0

12:52:32.947710 (utun3, proc ssh) IP 10.216.159.37.22 > 10.12.135.23.58962: Flags [S.E], seq 228542461, ack 281043969, win 28960,

options [mss 1383,sackOK,TS val 3918524969 ecr 1516873318,nop,wscale 7], length 0

12:52:32.947769 (utun3, proc ssh) IP 10.12.135.23.58962 > 10.216.159.37.22: Flags [.], ack 1, win 2048, options [nop,nop,TS val

1516873390 ecr 3918524969], length 0

12:52:32.949520 (utun3, proc ssh) IP 10.12.135.23.58962 > 10.216.159.37.22: Flags [P.], seq 1:22, ack 1, win 2048, options

[nop,nop,TS val 1516873392 ecr 3918524969], length 21

12:52:33.017011 (utun3, proc ssh) IP 10.216.159.37.22 > 10.12.135.23.58962: Flags [.], ack 22, win 227, options [nop,nop,TS val

3918525040 ecr 1516873392], length 0

 

This is the workaround for all of us on MacOs Monteye till you don`t release a new version.

 

Best Regards

0 Kudos
Alex_Sazonov
Employee
Employee

Hi @JanCh 

Are you trying to access to RDP machine by IP or hostname?

0 Kudos
JanCh
Participant

Hi,

using an IP adress seems to be a good workaround before the new client version is released.

I was using the hostname to access the servers. 

BR.

0 Kudos
rmeznaric
Participant

Hi, 

 

I found a temporary workaround for those who have this issue. Using direct IPs does work on my Mac with MacOs Monteye and the latest Checkpoint VPN client. So for the time being use direct IPs, this should enable you to wait for the new release with direct support for MacOs Monteye and not to do a downgrade to Big Sur.

 

Br

(1)
JanCh
Participant

Thanks a lot! That helps so much until the new client version is released!

BR

0 Kudos
jacbmelo
Explorer

I'm also having those same issues after updating to macOS Monterrey. A workaround that is working for me is to turn off and on the WI-FI after establishing the VPN connection.

0 Kudos
laszlotakats
Participant

I have the same problem (Mac Mini M1 & CP VPN 85.30).

I investigated the problem, the DNS server and the resolv.conf not working very well (after disconnect the CP VPN client couldn't change back the original DNS servers and search domain).

0 Kudos
Steve58
Participant

Did you read the comment at the top of the resolve.conf file?

This file is not used by macOS for DNS resolution.

0 Kudos
JanCh
Participant

Hi, 

 

I have also found another workaround for those who have M1 Macs.

I have downloaded iOS/iPadOS app Capsule from AppStore to my Mac and it works just fine.  (I use that app on my iPad so I got the idea to try that)

 

BR

0 Kudos
Heath_H
Contributor

I actually would have that same issue prior to macOS 12.0.1 and I had it initially after the upgrade, but I found that if I disconnected and reconnected, it got all the correct routes and DNS information and is working for me.  I haven't yet had to re-authenticate after upgrading, so I'll see if that works.

I'm running the EA of E85.30 (Build 986200317) to test the SAML authentication feature against an R81 lab cluster currently.

And I'm just curious, why does it take CP 2 months after a new release of an O/S to support it?  Do you not get the preview and beta releases as part of your normal Apple application development cycle?  Even having an EA release that is available on release day would be better than a blanket statement that you don't support it.  Often, new Apple hardware is only shipped with the new O/S, and this happens sooner than the 2 month window in a lot of cases.

For those with issues, check your interfaces for the utun adapter with the correct IP and then check your routing table to make sure you have the routes based on your VPN specification.

 

~ ifconfig utun4
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1350
inet 172.16.10.7 --> 172.16.10.6 netmask 0xffffff00
~ netstat -rn | grep utun4
10 172.16.10.6 UGSc utun4
15.182.250.105 172.16.10.6 UGHS utun4
168.189 172.16.10.6 UGSc utun4
172.16.10.6 172.16.10.7 UH utun4

Steve58
Participant

Hi there,

I have just been trying to get the release version of E85.30 running on my new M1 Max MBP, which is running Monterey 12.1.

Unfortunately DNS is completely borked in this environment. I am unable to add a new site (it's a new computer) because it can't verify it.

I'm up and limping with the CheckPoint capsule, but some internal sites remain inaccessible.

0 Kudos
nicholaslue
Explorer

This worked for me on Monterey on the M1 MBP.  I unchecked "limit IP address tracking" in my network wifi settings.  It works instantly. 

0 Kudos
DA7OS
Explorer

Hi Nicholas,

Could you share what steps you perform exactly?

 

I've been trying for several months and I can't connect to the vpn with a mac m1, currently I connect with SSL network extender through the browser, I already tried to connect with the new clients:

Capsule

Client Checkpoint

 

But it tells me that the creation of the new site tried with the different types of authentication and it tells me that the client is not supported..

 

My connection mode is user, password and a token that reaches my cell phone

 

I will be very grateful if you share your achievement, because I have not been successful for months

 

Greetings and thank you very much!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events