Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GrassF
Contributor

VPN daemon timed out

Hi,

one of our customer is having issue with vpn command. We are getting a Timed out

vpn_timed_out.png

The Firewall is running on R81 Take: 44

Have you experienced such issue?

Thank you

0 Kudos
14 Replies
_Val_
Admin
Admin

Take it with TAC

the_rock
Legend
Legend

Just curious, are you having actual S2S vpn issues, or ONLY output of this command is the concern? I guess if vpnd is a problem, then TAC may suggest some debugs for it, for sure.

0 Kudos
GrassF
Contributor

Correct, in case there is a vpn issue we'll not be able to debug. The firewall hast been updated to R81.10, however the issue has not been resolved. We've opened a TAC Case.

Chris_Atkinson
Employee Employee
Employee

Apologies it's not clear. Is the VPN blade activated on the gateway and a tunnel configured / established?

CCSM R77/R80/ELITE
0 Kudos
GrassF
Contributor

Correct, if not we would have got this output below (from another Gateway without VPN Blade enabled)

# vpn shell
This is not a VPN-1 enabled module

the_rock
Legend
Legend

This is very interesting...I tried it yesterday in my lab with vpn blade on and I had same issue as you, but when I ran it on customer's environment with same R80.40 version, worked fine. Now, I tested in R81.10, but let me see if I can find R81 and try. Though, Im 99.99% sure this has absolutely nothing to do with the software version.

0 Kudos
GrassF
Contributor

We have another customer running R80.40 and it's working fine. Would be interesting to have the result of your test.

the_rock
Legend
Legend

Ok...got same thing in R81 as well. Let me do some testing later in my R81.10 lab, as I have latest HFA on it, so will see if I can figure it out, plus, VPN blade has been enabled on it for 2-3 months, at least.

 

0 Kudos
the_rock
Legend
Legend

I hate to say this, but I honestly got no clue why this happens. As @_Val_ suggested, open TAC case and have them investigate. I tried so many things in my lab to see if I can get it working (even disabled and re-enabled vpn blade as well), same thing. Tried running multiple options of that command, no luck, sorry brother : - (. Please let us know how it gets fixed, I would love to know.

0 Kudos
GrassF
Contributor

Thank you for helping. The TAC case is ongoing. It seems like things have change on R81

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top...

0 Kudos
the_rock
Legend
Legend

Yes, but vpn debug steps should be same as before. As far as vpn shell command, that Im not positive, though when I tested In R80.xx flavors, options look the same.

0 Kudos
Timothy_Hall
Legend Legend
Legend

As you observed @the_rock some things involving vpnd did change in R81.10.  The vpnd process is very old and has a long list of responsibilities that were stuffed into it over the years which started to cause stability problems. 

In R81.10 two responsibilities of vpnd were split off into two new daemons: iked and cccd.  The former daemon handles IKE negotiations and the latter daemon cccd seems to be related to endpoint compliance.  @GrassF it is possible that the vpn shell command you are trying to run has not been updated to reflect this change thus the timeouts, disabling the new iked process with vpn iked disable might fix your timeout issue but I'd advise against trying that, as it is not documented and may cause an outage.  Please post the output of these two commands:

vpn iked status

vpn cccd status

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
GrassF
Contributor

# vpn iked status
vpn: 'iked' is enabled.
vpn: The 'iked' process is currently running.

# vpn cccd status
vpn: 'cccd' is disabled.
vpn: The 'cccd' process is currently not running.

# fw ctl get int ike_in_separate_daemon
ike_in_separate_daemon = 1

_Val_
Admin
Admin

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

 

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

 

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events