Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gtsanava
Contributor
Jump to solution

you cannot receive an office mode ip address at this time.

hello

We have upgraded from R80.30 to R81 everything seems fine, but on Remote Access VPN we have periodic connection failures for several users and they have next error: “Connection Failed You cannot receive an office mode IP address at this time…” there is screen also.

we noticed that, problem appears to users which had unexpectedly disconnected from VPN for several various reasons.

And that’s why problem repeats every day with several various users (5 to 10 users by day), also 2-3 same users too.

At this point we are resolving this 5-10 issues by changing ip addresses in ipassignment.conf file for problematic users. Also for troubleshooting purposes I have returned old ip to user after several minutes but same error appeared.

it seems as if there is problem with tunnel for user also problem is resolved by resetting tunnel but in most cases session disappears in "tunnel and user monitoring" view so I cant reset it and I am forced to change ip address in ipassignment .conf file and access policy too for each user.

we are assigning ip addresses to vpn users only via ipassignment.conf file. Also we have edited $FWDIR/conf/trac_client_1.ttm file according to our needs. And this configurations worked for us fine on R80.30 and we think that this settings should be okay with R81 also.

please share your experience, I have already opened case but still waiting for response.

Respectively,

George Tsanava

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend

A fix is ready, fw1_wrapper_HOTFIX_R81_JHF_T36_752_MAIN_GA_FULL - at our customers it did resolve the issue !

CCSE CCTE CCSM SMB Specialist

View solution in original post

G_W_Albrecht
Legend
Legend
14 Replies
PhoneBoy
Admin
Admin

This is definitely going to require TAC assistance.
That said, it is one of the limitations of using ipassignment.conf to assign a specific user a specific address.

0 Kudos
G_W_Albrecht
Legend
Legend

At least two TAC tickets are currently open for this issue...

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

One of our partners has the same issue with a lot of customers - issue started after installing R81 JT 36 ! So to resolve this issue, you would have to uninstall JT 36 and go back to JT 29. This can be replicated very easily, but although a SR# is open since 17.8., no solution was found yet.

Workaround is to remove the IP from om_assigned_ips...

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

Can you share the SR# in a private message so i can point it out to CP ?

kind regards,

--
Guenther Albrecht
Arrow ECS Internet Security AG A-1100 Wien, Wienerbergstrasse 11
Tel: +43 1 370 94 40 325 Fax: +43 1 370 94 40-33

CCSE CCTE CCSM SMB Specialist
0 Kudos
gtsanava
Contributor

yes I have sent it to you in PM

0 Kudos
the_rock
Legend
Legend

I had that exact same error with one customer and it turned out to be a license. Im not saying thats the case with you, but maybe worth checking.

0 Kudos
G_W_Albrecht
Legend
Legend

Usually, the error could also be a licensing issue. But if all had been working as expected until JT 36 was installed, this is simply a bug 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
gtsanava
Contributor

yes it looks like bug. licensing was checked very first, its not about that.

0 Kudos
Naama_Specktor
Employee
Employee

thank you for the information 😀

0 Kudos
idants
Employee
Employee

Hi,

I am Idan Tsarfati, R&D VPN group manager.

Thanks for letting us know about this issue - we investigated it and found out that there is a bug in this take which related to the mentioned configuration file.

We have a fix for this issue, so you can contact me in order to get it.

A WA is to remove the user from the configuration file.

 

Thanks.

0 Kudos
G_W_Albrecht
Legend
Legend
We have received an update:
On R81 T36, the IKED project was integrated. This project is about creating a new daemon that can handle IKE negotiations for VPN connections. The new daemon is called iked and its disabled by default.
 
As part of this project, Office mode allocation was changed (mainly, moved from user-space to kernel-space) for coordination and stability purposes.
 
The issue we see with these customers is related to ipassignment.conf when a user disconnect implicitly (without informing the GW). In such cases, the OM IP will be stuck inside om_assigned_ips kernel table.
 
With the new OM allocation mechanism, that implicitly disconnected user wont be able to connect unless the om_assigned_ips entry reaches its expiration.
 
Even though the ike is disabled by default, the new OM allocation mechanism is enabled (since its mainly I/S that cannot be disabled).
CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

A fix is ready, fw1_wrapper_HOTFIX_R81_JHF_T36_752_MAIN_GA_FULL - at our customers it did resolve the issue !

CCSE CCTE CCSM SMB Specialist
gtsanava
Contributor

yes fix resolved our case. thanks to all Checkpoint Staff Members who worked on it ❤️

0 Kudos
G_W_Albrecht
Legend
Legend

Fix is included in Ongoing Jumbo Take 44 : https://community.checkpoint.com/t5/Product-Announcements/R81-Jumbo-Hotfix-Accumulator-New-Ongoing-t...

 

CCSE CCTE CCSM SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events