This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Collaborator
a week ago
Jump to solution

SAML Auth failure after upgrade to R82.10

I've been upgrading a clustered pair of 3500's running R81.10 to the new 3920's running R82.10

The management was R81.20 so I started by upgrading this to R82 with recommended JHF. It was virtual, so simply spun up a new one using migrate export/import, no problem here.

I then replaced the gateways, updated the management accordingly and pushed the policy. This was fine and everything appeared to come back up normally, including all the site to site VPN's.

Final tests were remote access, some users have user/password/certificate but most use SAML. (this has been working fine for over 12 months) The user/password/certificate users work fine but the SAML users are unable to connect. It appears that the authentication happens correctly to Azure, but the token is then not accepted by the gateway and the connection fails.

Has anyone else come across this?

Preview file
11 KB
0 Kudos
1 Solution

Accepted Solutions
StevePearson
Collaborator
Sunday
In response to the_rock
Jump to solution

Hi Andy,

I've just fixed this!

I eventually found in the logs the error "Received an assertion that is valid in the future", which led me to the time on the gateways. I found that they were not synced to the Checkpoint NTP servers, so were about 8 minutes slow! (never thought to check this as the old gateways were NTP enabled so assumed all was ok!)

More digging, I found that there was no rule to allow outbound comms from the gateways for NTP, so the old gateways, despite being configured for NTP were not actually communicating with the NTP servers. I added the relevant rule, pushed the policy and kicked the NTP daemon,  the gateways synced and the issue was resolved!

Regards,

Steve

View solution in original post

3 Replies
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

Regardless of the browser?

Best,
Andy
0 Kudos
StevePearson
Collaborator
Sunday
In response to the_rock
Jump to solution

Hi Andy,

I've just fixed this!

I eventually found in the logs the error "Received an assertion that is valid in the future", which led me to the time on the gateways. I found that they were not synced to the Checkpoint NTP servers, so were about 8 minutes slow! (never thought to check this as the old gateways were NTP enabled so assumed all was ok!)

More digging, I found that there was no rule to allow outbound comms from the gateways for NTP, so the old gateways, despite being configured for NTP were not actually communicating with the NTP servers. I added the relevant rule, pushed the policy and kicked the NTP daemon,  the gateways synced and the issue was resolved!

Regards,

Steve

the_rock
MVP Platinum
MVP Platinum
Sunday
In response to StevePearson
Jump to solution

Excellent job!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events