Solved: you cannot receive an office mode ip address at th...

gtsanava · ‎2021-09-06

hello

We have upgraded from R80.30 to R81 everything seems fine, but on Remote Access VPN we have periodic connection failures for several users and they have next error: “Connection Failed You cannot receive an office mode IP address at this time…” there is screen also.

we noticed that, problem appears to users which had unexpectedly disconnected from VPN for several various reasons.

And that’s why problem repeats every day with several various users (5 to 10 users by day), also 2-3 same users too.

At this point we are resolving this 5-10 issues by changing ip addresses in ipassignment.conf file for problematic users. Also for troubleshooting purposes I have returned old ip to user after several minutes but same error appeared.

it seems as if there is problem with tunnel for user also problem is resolved by resetting tunnel but in most cases session disappears in "tunnel and user monitoring" view so I cant reset it and I am forced to change ip address in ipassignment .conf file and access policy too for each user.

we are assigning ip addresses to vpn users only via ipassignment.conf file. Also we have edited $FWDIR/conf/trac_client_1.ttm file according to our needs. And this configurations worked for us fine on R80.30 and we think that this settings should be okay with R81 also.

please share your experience, I have already opened case but still waiting for response.

Respectively,

George Tsanava

G_W_Albrecht · ‎2021-09-16

A fix is ready, fw1_wrapper_HOTFIX_R81_JHF_T36_752_MAIN_GA_FULL - at our customers it did resolve the issue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

G_W_Albrecht · ‎2021-09-29

Fix is included in Ongoing Jumbo Take 44 : https://community.checkpoint.com/t5/Product-Announcements/R81-Jumbo-Hotfix-Accumulator-New-Ongoing-t...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

PhoneBoy · ‎2021-09-06

This is definitely going to require TAC assistance.
That said, it is one of the limitations of using ipassignment.conf to assign a specific user a specific address.

G_W_Albrecht · ‎2021-09-09

At least two TAC tickets are currently open for this issue...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2021-09-07

One of our partners has the same issue with a lot of customers - issue started after installing R81 JT 36 ! So to resolve this issue, you would have to uninstall JT 36 and go back to JT 29. This can be replicated very easily, but although a SR# is open since 17.8., no solution was found yet.

Workaround is to remove the IP from om_assigned_ips...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2021-09-07

Can you share the SR# in a private message so i can point it out to CP ?

kind regards,

--
Guenther Albrecht
Arrow ECS Internet Security AG A-1100 Wien, Wienerbergstrasse 11
Tel: +43 1 370 94 40 325 Fax: +43 1 370 94 40-33

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

gtsanava · ‎2021-09-07

yes I have sent it to you in PM

the_rock · ‎2021-09-07

I had that exact same error with one customer and it turned out to be a license. Im not saying thats the case with you, but maybe worth checking.

G_W_Albrecht · ‎2021-09-08

Usually, the error could also be a licensing issue. But if all had been working as expected until JT 36 was installed, this is simply a bug 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

gtsanava · ‎2021-09-08

yes it looks like bug. licensing was checked very first, its not about that.

Naama_Specktor · ‎2021-09-09

thank you for the information 😀

idants · ‎2021-09-09

Hi,

I am Idan Tsarfati, R&D VPN group manager.

Thanks for letting us know about this issue - we investigated it and found out that there is a bug in this take which related to the mentioned configuration file.

We have a fix for this issue, so you can contact me in order to get it.

A WA is to remove the user from the configuration file.

Thanks.

G_W_Albrecht · ‎2021-09-10

We have received an update:

On R81 T36, the IKED project was integrated. This project is about creating a new daemon that can handle IKE negotiations for VPN connections. The new daemon is called iked and its disabled by default.

As part of this project, Office mode allocation was changed (mainly, moved from user-space to kernel-space) for coordination and stability purposes.

The issue we see with these customers is related to ipassignment.conf when a user disconnect implicitly (without informing the GW). In such cases, the OM IP will be stuck inside om_assigned_ips kernel table.

With the new OM allocation mechanism, that implicitly disconnected user wont be able to connect unless the om_assigned_ips entry reaches its expiration.

Even though the ike is disabled by default, the new OM allocation mechanism is enabled (since its mainly I/S that cannot be disabled).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2021-09-16

A fix is ready, fw1_wrapper_HOTFIX_R81_JHF_T36_752_MAIN_GA_FULL - at our customers it did resolve the issue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

gtsanava · ‎2021-09-17

yes fix resolved our case. thanks to all Checkpoint Staff Members who worked on it ❤️

G_W_Albrecht · ‎2021-09-29

Fix is included in Ongoing Jumbo Take 44 : https://community.checkpoint.com/t5/Product-Announcements/R81-Jumbo-Hotfix-Accumulator-New-Ongoing-t...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

you cannot receive an office mode ip address at this time.