This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-02-11 11:09 AM

End point connect connectivity issues - DPD - Negotiation with site failed

So its a day ending with the word day so I've stumbled across another issue with my 1500.

After bringing up the 1550 I noticed my remote access users didn't work anymore with end point connect but did with SNX and IOS end point connect.

Some debugging on the client and I found 

 

[ 4132 4180][11 Feb 13:17:07][IKE] **** MM6PacketHandler: Receive packet 6: Main Mode packet, cookies 7c27174af0bb8d93,e6a0f06ab07e931d, length 1997, 5 payloads

[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Identification payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 2)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Signature payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Vendor ID payload (total 1)
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Identification, need one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 2 payloads of type Certificate, need one or more
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Signature, need one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 0 payloads of type Notification, need zero or one exactly
[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: FAILED: Extra payloads left in packet (found 1 Vendor ID's)
[ 4132 4180][11 Feb 13:17:07][IKE] MM6PacketHandler: Packet parse failed (expecting 1 ID, 1-2 certs, 1 sig)
[ 4132 4180][11 Feb 13:17:07][IKE] send_notification: NOT IMPLEMENTED YET
[ 4132 4180][11 Feb 13:17:07][negs] [WARNING] [Negotiation::process_event] (0x03B64198): *** Negotiation failed! ***
[ 4132 4180][11 Feb 13:17:07][tunnel] [COVERAGE] [IkeV1Tunnel::negotiationEnded] (0x03BA2058): __start__

 

which led me to sk121736 - "Gateway sends DPD to client during phase 1 negotiation, resulting in "Negotiation with site failed" error for Remote Access Client trying to connect to a R80.XX Security Gateway".

 

Funny thing on the vpn page 

VPN -> Advanced -> Tunnel health monitoring method -> Tunnel Test (Check Point proprietary is selected) 
Use DPD responder mode checked with no way to uncheck (greyed out)

I changed tunnel health monitoring to DPD and unchecked use DPD responder mode

..and it worked...

 

So...uh...  End Point Connect with checkpoint's own internal tunnel monitoring is broken but the RFC version works? 

 

..SR opened..

0 Kudos
5 Replies
John_Fleming
Advisor
‎2020-02-11 11:13 AM

Can anyone else tell me what the default is for tunnel health mode? Is it tunnel test? Is so does that mean end point connect is broken out of the box without a config change?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-11 06:58 PM
In response to John_Fleming

Tunnel Test is the default, I’m pretty sure.
This is definitely TAC case territory.
0 Kudos
John_Fleming
Advisor
‎2020-02-21 07:40 AM
In response to PhoneBoy

Started to circle in on the bug. Looks like its possible a gui bug. Basically the way to trigger is switch to DPD, then enabled the check box and hit apply. Then switch back to Tunnel Test mode and the box will grey out but still be checked.

End Point Connect will now fail with negotiation failed. I'm not sure how check box could effect tunnel test mode since I would assume tunnel test doesn't support that. My guess is its not really switching to tunnel test mode.

 

Anyway support replicated and has turned over to CFG. I'll reply with the next build for the fix.

 

I heard a rumor SMB R80.20.02's internal build name will be Spikefish. Thats pretty cool. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-21 12:52 PM
In response to John_Fleming

I guess you're having a huge impact on the product. 😂
0 Kudos
John_Fleming
Advisor
‎2020-02-21 01:23 PM
In response to PhoneBoy

Its what i'm hearing from people, tremendous people!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events