This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
K_montalvo
Advisor
‎2021-12-29 07:51 AM
Jump to solution

Remote Access VPN Authentication Failure

Hello Experts!

We are currently experiencing issues with the Remote Access VPN. The issue is when new user is created on the existing (Working) ClientlessVPNGroup and try to connect via browser fails the login with the error: "Unknown user". T/S was made creating new users using the same default template and the same results. However when creating new user on the internal AD which is part of the same RemoteAcessVPN Community and FW Rule it authenticates without issues. Publish & Install and Install Database was properly done.


Current environment:
SMS r81.10 (Was upgraded like 19 days ago from r80.30 to r81.10 and everything was seamlessly working until yesterday.
Cluster (2 Gateways) running r80.30

Only change that was made yesterday was on the default template object witch is included on the uploaded file. I Appreciate any tips or suggestions on this issue.

Thanks,

Logs.pdf
Preview file
232 KB
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-12-30 07:51 AM
In response to K_montalvo
Jump to solution

Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide.  You can right-click in that field and force it to Hide.  If this is not the case please post a screenshot of the NAT rules in question.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

17 Replies
the_rock
Legend
Legend
‎2021-12-29 07:59 AM
Jump to solution

Hey bro,

Did you make sure user belongs to the group allowed to access stuff via remote access community?

Andy

the_rock
Legend
Legend
‎2021-12-29 08:02 AM
In response to K_montalvo
Jump to solution

Normally, if you add user via AD, say if you have radius auth (just as an example) and AD integrated via dashboard, sometimes you may need to push policy to reflect the changes, though in most cases, it would reflect right away.

Andy

K_montalvo
Advisor
‎2021-12-29 08:13 AM
In response to the_rock
Jump to solution

Yeah push policy was done with new AD user and worked but the issue at the moment is presented when creating new local users, current existing local users on the same group are working.

0 Kudos
the_rock
Legend
Legend
‎2021-12-29 08:02 AM
In response to K_montalvo
Jump to solution

Email me some screenshots directly, let me check.

the_rock
Legend
Legend
‎2021-12-29 08:14 AM
In response to K_montalvo
Jump to solution

K, just send zoom or webex, I think I can figure this out quick...Im sure its some minor misconfiguration.

Timothy_Hall
Legend Legend
Legend
‎2021-12-29 08:30 AM
Jump to solution

Sounds suspiciously similar to the following, what happens if you set the template expiration date to 2029 instead of 2030 and then create a user with it?

sk167103: Expiration Date configured to after 2030 is considered as expired

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
K_montalvo
Advisor
‎2021-12-29 09:49 AM
In response to Timothy_Hall
Jump to solution

Thanks for the suggestion @Timothy_Hall  will try that and keep you guys posted of the results.

the_rock
Legend
Legend
‎2021-12-29 09:58 AM
In response to Timothy_Hall
Jump to solution

@Timothy_Hall ...I just did remote with @K_montalvo and since we could not look at the actual environment, we went through some basic setup on lab mgmt and I also saw that for one customer I always help with, any local vpn users are by default set to same date (December 31st, 2030) and works fine. I believe sk you mentioned strictly references to new admin, as "never" option is not there for vpn user. Either way, I asked Kenny to try change it to say 2025 and see if it makes any difference. Personally, though I showed him the option for mobile access via blades (under manage and settings), considering this is the only user with a problem, does not logically sound like its an issue with the MA blade configuration. Regardless, they will test all we discuss and update us.

Andy

K_montalvo
Advisor
‎2021-12-30 07:46 AM
In response to the_rock
Jump to solution

@the_rock @Timothy_Hall I was able to do T/S today and posibbly identified the issue:

What we are seeing is and error when the Standard Access Policy installation could that be the issue? If so can you guys guide me if theres a command to fix it or steps i shall follow to resolved the issue?

I really appreciate your help!

Thanks!Screenshot.PNG

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-12-30 07:51 AM
In response to K_montalvo
Jump to solution

Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide.  You can right-click in that field and force it to Hide.  If this is not the case please post a screenshot of the NAT rules in question.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
K_montalvo
Advisor
‎2021-12-30 11:05 AM
In response to Timothy_Hall
Jump to solution

Hello,

This was actually the issue with a source network with a /16 translated to a /24 on a couple of NAT rules created a couple years ago. Somehow they started to present the issue recently. The TAC was also very helpful.

0 Kudos
the_rock
Legend
Legend
‎2021-12-30 07:57 AM
In response to K_montalvo
Jump to solution

Hey buddy,

@Timothy_Hall is absolutely right. Sounds like nat method is wrong if thats the message you are seeing. Can you paste actual NAT rule?

Andy

K_montalvo
Advisor
‎2021-12-30 11:07 AM
In response to the_rock
Jump to solution

Hello buddy,

Yeah what @Timothy_Hall  posted above was the issue. I know if in the remote session yesterday with you had access to the actual environment you would figure it out. Many thanks as always for your support and friendship!

0 Kudos
the_rock
Legend
Legend
‎2021-12-30 11:09 AM
In response to K_montalvo
Jump to solution

Any time, no problem at all. @Timothy_Hall is the man, I think he knows everything CP related, so always amazing resource.

HAPPY NEW YEAR!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top