This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2023-05-24 07:20 AM

Mobile Client doesn't accept Certificate

Hello All,

we have a GW R80.30 and many VPN users. But recently one user got an issue: his VPN Client doesn't accept any Certificates. We even imported the certificate into Windows Certificate Storage to let the user connect without password - still doesn't work. The logs schow the following:

[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] gw_uses_login_options return value true, because it is Default variable. Scope: site My_Company VPN, gw VPN_GW ,user USER 
[ 16532 9924][24 May 15:17:13][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetGatewayLoginOptionState: gw VPN_GW support login option
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] site_uses_login_options return value true, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] selected_realm_id return value vpn, because it is User config variable. Scope: site My_Company VPN ,gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][RealmConfiguration] [COVERAGE] [RealmConfiguration::getRealmByName(s)] __start__
[ 16532 9924][24 May 15:17:13][RealmConfiguration] [DEBUG] [RealmConfiguration::getRealmByName(s)] getRealmByName where realm ID=vpn
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] login_options_list return value is object type, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][RealmConfiguration] [INFO] [RealmConfiguration::getRealmByName(s)] Found realm with matching realm ID: vpn
[ 16532 9924][24 May 15:17:13][RealmConfiguration] [COVERAGE] [RealmConfiguration::getRealmByName(s)] __end__ Total: 0 milliseconds.
[ 16532 9924][24 May 15:17:13][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetGatewayRealmObj: siteName My_Company VPN, gwName VPN_GW, realm_display_name=vpn, realm_id=vpn
[ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TrCredKey::TrCredKey: creating credKey
[ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TrAuthenticationManager::CredsInCache: enter, item - (gw = My_Company VPN, authMethod=p12-certificate, realmId=vpn)
[ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TR_AUTH_MANAGER::TrAuthenticationManager::CredsInCache: cred item is null
[ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TR_AUTH_MANAGER::TrAuthenticationManager::CredsInCache: did not find an appropriate auth object in cache
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] IsCredsAvailable: Creds not in cache looking in CPLogon
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TrConnManager::GetRegOrCPLogonCreds: site name is: My_Company VPN
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] save_cli_credentials_for_ATM return value false, because it is Default variable. Scope: site My_Company VPN, gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TrConnManager::IsCredsInRegOrCPLogon: site name is: My_Company VPN
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] save_cli_credentials_for_ATM return value false, because it is Default variable. Scope: site My_Company VPN, gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][ICS]  TrFeatureManager::isATM: return value - is ATM = false
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Check if CPLogon enabled
[ 16532 9924][24 May 15:17:13][TR_CPLOGON] IsEnabled: LogonAgentAPI dll not loaded
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Credentials are not in cplogon and not in registry
[ 16532 9924][24 May 15:17:13][ICS]  TrFeatureManager::isATM: return value - is ATM = false
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetRegOrCPLogonCreds: Creds are not in registry or cplogon
[ 16532 9924][24 May 15:17:13][TR_API_TRANSLATE] TR_API_TRANSLATE::TrAPI_Translate::ToSet: converting realmAuthFactor struct to set
[ 16532 9924][24 May 15:17:13][TR_SRV2CL] TR_SRV2CL::GetConfig: Entering
[ 16532 9924][24 May 15:17:13][TrMsg] TrMsg::TrMsgFromMsgObj: Entering
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw is not client decide 
[ 16532 9924][24 May 15:17:13][TR_SRV2CL] TR_SRV2CL::GetConfig: Recieved Get config message, will get the configuration from the site's scope
[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw return value false, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER 
[ 16532 9924][24 May 15:17:13][TrMsg] TrMsg::TrMsgArgIterGetNextArg: No more TrArgs
[ 16532 9924][24 May 15:17:13][MSGOBJ] msg_obj_init: format=1.0 id=TR_CONFIGURATION

 

What I don't like here:

[ 16532 9924][24 May 15:17:13][ICS]  TrFeatureManager::isATM: return value - is ATM = false
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Check if CPLogon enabled
[ 16532 9924][24 May 15:17:13][TR_CPLOGON] IsEnabled: LogonAgentAPI dll not loaded
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Credentials are not in cplogon and not in registry
[ 16532 9924][24 May 15:17:13][ICS]  TrFeatureManager::isATM: return value - is ATM = false
[ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetRegOrCPLogonCreds: Creds are not in registry or cplogon

 

I know that on the user's computer some security applications are installed, like Zscaller, ByoundTrust, maybe something else. Is it possible that such applications block some libraries? I asked him to check it with his Security team.

Thank you for any ideas!

0 Kudos
15 Replies
the_rock
MVP Gold
MVP Gold
‎2023-05-24 07:28 AM

Logically, if its only one user, plus the fact there might be some 3rd party apps installed that could block this, definitely makes sense. Any way they could uninstall that other software and see if that works?

Andy

Best,
Andy
0 Kudos
Exonix
Advisor
‎2023-05-24 07:47 AM
In response to the_rock

I've asked them to test it on a Vitual Machine without any security Apps. Let't see what they answer...

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 07:49 AM
In response to Exonix

K, great...so if that does work, then you know 100% where the issue is. Question at that point would be what needs to be modified in order to make it work properly?

Andy

Best,
Andy
0 Kudos
Exonix
Advisor
‎2023-05-24 07:53 AM
In response to the_rock

first the security departmentwill have to find what is blocking. One more point: we already had problems during the installation of the VNP client... They solved it...

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 07:55 AM
In response to Exonix

Ah, I see...was something else blocked when client was installed?

Andy

Best,
Andy
0 Kudos
Exonix
Advisor
‎2023-05-24 08:02 AM
In response to the_rock

I don't know that. the problem occurred only with the VPN client

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 08:04 AM
In response to Exonix

Hang on, just to confirm...was this issue ONLY with single user? So, say for argument's sake, if vpn client was E87.10 (does not really matter), was install issue present just with single person or multiple people?

Andy

Best,
Andy
0 Kudos
Exonix
Advisor
‎2023-05-24 08:11 AM
In response to the_rock

as I know only a single user has complained. probablly onle one user in this company uses our VPN. full story: the initial request was for a new certificate - I enrolled it (by the way, the self-issue of the certificate on the client computer works without any issues), but then the user said it didn't work. I connected to him with MS Teams and I see - the client is old (the client has been connecting the last time 9 months ago). We began to update the client and faced the problem.... ^_^

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 08:18 AM
In response to Exonix

K, so if its just single user, then Im 100% sure it has to be something else on their machine (most like one of those 3rd party apps) and NOT the actual vpn client.

Andy

Best,
Andy
the_rock
MVP Gold
MVP Gold
‎2023-05-24 08:35 AM
In response to the_rock

@Exonix Anyway, keep us posted on what the outcome is.

Cheers,

Andy

Best,
Andy
Exonix
Advisor
‎2023-05-24 08:37 AM
In response to the_rock

yes, sure. but from tomorrow I'm on vacation (*_*) the update comes later

the_rock
MVP Gold
MVP Gold
‎2023-05-24 08:38 AM
In response to Exonix

Well, have a nice vacation...Im sure this person will have someone else sort it out, hehe ; - )

Best,
Andy
Exonix
Advisor
‎2023-05-24 08:39 AM
In response to the_rock

thank you! yes, i will give to my colleagues, but only me can post here 8)

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 08:42 AM
In response to Exonix

Im sure you wont lose any sleep over it and it willnot ruin your vacation ; - )

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-05-24 07:31 AM

To add to my initial post, I recall 3 years ago or so, customer had similar issue and what they did to fix it was put the 3rd party app into "hibernate" mode...no clue in the world what app it was and how they did it, but that was the workaround, at least for the time being, until they found more permanent solution.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events