This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GrassF
Contributor
‎2022-01-25 12:36 AM

VPN daemon timed out

Hi,

one of our customer is having issue with vpn command. We are getting a Timed out

vpn_timed_out.png

The Firewall is running on R81 Take: 44

Have you experienced such issue?

Thank you

0 Kudos
14 Replies
_Val_
Admin
Admin
‎2022-01-27 01:34 AM

Take it with TAC

the_rock
Legend
Legend
‎2022-01-27 05:18 AM

Just curious, are you having actual S2S vpn issues, or ONLY output of this command is the concern? I guess if vpnd is a problem, then TAC may suggest some debugs for it, for sure.

0 Kudos
GrassF
Contributor
‎2022-01-28 12:54 AM
In response to the_rock

Correct, in case there is a vpn issue we'll not be able to debug. The firewall hast been updated to R81.10, however the issue has not been resolved. We've opened a TAC Case.

Chris_Atkinson
Employee Employee
Employee
‎2022-01-28 02:05 AM
In response to GrassF

Apologies it's not clear. Is the VPN blade activated on the gateway and a tunnel configured / established?

CCSM R77/R80/ELITE
0 Kudos
GrassF
Contributor
‎2022-01-28 04:39 AM
In response to Chris_Atkinson

Correct, if not we would have got this output below (from another Gateway without VPN Blade enabled)

# vpn shell
This is not a VPN-1 enabled module

the_rock
Legend
Legend
‎2022-01-28 04:42 AM
In response to GrassF

This is very interesting...I tried it yesterday in my lab with vpn blade on and I had same issue as you, but when I ran it on customer's environment with same R80.40 version, worked fine. Now, I tested in R81.10, but let me see if I can find R81 and try. Though, Im 99.99% sure this has absolutely nothing to do with the software version.

0 Kudos
GrassF
Contributor
‎2022-01-28 04:51 AM
In response to the_rock

We have another customer running R80.40 and it's working fine. Would be interesting to have the result of your test.

the_rock
Legend
Legend
‎2022-01-28 05:06 AM
In response to GrassF

Ok...got same thing in R81 as well. Let me do some testing later in my R81.10 lab, as I have latest HFA on it, so will see if I can figure it out, plus, VPN blade has been enabled on it for 2-3 months, at least.

 

0 Kudos
the_rock
Legend
Legend
‎2022-01-28 06:20 AM
In response to GrassF

I hate to say this, but I honestly got no clue why this happens. As @_Val_ suggested, open TAC case and have them investigate. I tried so many things in my lab to see if I can get it working (even disabled and re-enabled vpn blade as well), same thing. Tried running multiple options of that command, no luck, sorry brother : - (. Please let us know how it gets fixed, I would love to know.

0 Kudos
GrassF
Contributor
‎2022-01-28 06:34 AM
In response to the_rock

Thank you for helping. The TAC case is ongoing. It seems like things have change on R81

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

0 Kudos
the_rock
Legend
Legend
‎2022-01-28 11:27 AM
In response to GrassF

Yes, but vpn debug steps should be same as before. As far as vpn shell command, that Im not positive, though when I tested In R80.xx flavors, options look the same.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-01-29 06:39 AM
In response to GrassF

As you observed @the_rock some things involving vpnd did change in R81.10.  The vpnd process is very old and has a long list of responsibilities that were stuffed into it over the years which started to cause stability problems. 

In R81.10 two responsibilities of vpnd were split off into two new daemons: iked and cccd.  The former daemon handles IKE negotiations and the latter daemon cccd seems to be related to endpoint compliance.  @GrassF it is possible that the vpn shell command you are trying to run has not been updated to reflect this change thus the timeouts, disabling the new iked process with vpn iked disable might fix your timeout issue but I'd advise against trying that, as it is not documented and may cause an outage.  Please post the output of these two commands:

vpn iked status

vpn cccd status

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
GrassF
Contributor
‎2022-02-04 04:55 AM
In response to Timothy_Hall

# vpn iked status
vpn: 'iked' is enabled.
vpn: The 'iked' process is currently running.

# vpn cccd status
vpn: 'cccd' is disabled.
vpn: The 'cccd' process is currently not running.

# fw ctl get int ike_in_separate_daemon
ike_in_separate_daemon = 1

_Val_
Admin
Admin
4 weeks ago
In response to GrassF

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

 

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

 

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events