Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor

End point connect connectivity issues - DPD - Negotiation with site failed

So its a day ending with the word day so I've stumbled across another issue with my 1500.

After bringing up the 1550 I noticed my remote access users didn't work anymore with end point connect but did with SNX and IOS end point connect.

Some debugging on the client and I found 

 

[ 4132 4180][11 Feb 13:17:07][IKE] **** MM6PacketHandler: Receive packet 6: Main Mode packet, cookies 7c27174af0bb8d93,e6a0f06ab07e931d, length 1997, 5 payloads

[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Identification payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 2)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Signature payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Vendor ID payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Identification, need one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 2 payloads of type Certificate, need one or more
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Signature, need one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 0 payloads of type Notification, need zero or one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: FAILED: Extra payloads left in packet (found 1 Vendor ID's)
[ 4132 4180][11 Feb 13:17:07][IKE] MM6PacketHandler: Packet parse failed (expecting 1 ID, 1-2 certs, 1 sig)
[ 4132 4180][11 Feb 13:17:07][IKE] send_notification: NOT IMPLEMENTED YET
[ 4132 4180][11 Feb 13:17:07][negs] [WARNING] [Negotiation::process_event] (0x03B64198): *** Negotiation failed! ***
[ 4132 4180][11 Feb 13:17:07][tunnel] [COVERAGE] [IkeV1Tunnel::negotiationEnded] (0x03BA2058): __start__

 

which led me to sk121736 - "Gateway sends DPD to client during phase 1 negotiation, resulting in "Negotiation with site failed" error for Remote Access Client trying to connect to a R80.XX Security Gateway".

 

Funny thing on the vpn page 

VPN -> Advanced -> Tunnel health monitoring method -> Tunnel Test (Check Point proprietary is selected) 
Use DPD responder mode checked with no way to uncheck (greyed out)

I changed tunnel health monitoring to DPD and unchecked use DPD responder mode

..and it worked...

 

So...uh...  End Point Connect with checkpoint's own internal tunnel monitoring is broken but the RFC version works? 

 

..SR opened..

0 Kudos
5 Replies
John_Fleming
Advisor

Can anyone else tell me what the default is for tunnel health mode? Is it tunnel test? Is so does that mean end point connect is broken out of the box without a config change?

0 Kudos
PhoneBoy
Admin
Admin

Tunnel Test is the default, I’m pretty sure.
This is definitely TAC case territory.
0 Kudos
John_Fleming
Advisor

Started to circle in on the bug. Looks like its possible a gui bug. Basically the way to trigger is switch to DPD, then enabled the check box and hit apply. Then switch back to Tunnel Test mode and the box will grey out but still be checked.

End Point Connect will now fail with negotiation failed. I'm not sure how check box could effect tunnel test mode since I would assume tunnel test doesn't support that. My guess is its not really switching to tunnel test mode.

 

Anyway support replicated and has turned over to CFG. I'll reply with the next build for the fix.

 

I heard a rumor SMB R80.20.02's internal build name will be Spikefish. Thats pretty cool. 

0 Kudos
PhoneBoy
Admin
Admin

I guess you're having a huge impact on the product. 😂
0 Kudos
John_Fleming
Advisor

Its what i'm hearing from people, tremendous people!

0 Kudos