This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Net_Works
Contributor
‎2023-03-02 03:13 PM
Jump to solution

ipassignment.conf -- is there a logfile to check assignment requests

Hi All,

I have a user connecting to the gateway via VPN (SAML authentication). They pass SAML authentication via identity provider but get assigned the wrong IP address. Although they are setup in the 'ipassignment.conf' file, they keep getting an IP address from the general pool that is setup on each cluster member. I have checked the syntax in the ipassignment.conf and satisfied they have been configured correctly. 

Is there a logfile anywhere that I can troubleshoot this to check that the  ipassignment.conf file is being queried?

Thanks in advance.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-03 04:46 PM
In response to Net_Works
Jump to solution

The point of pointing you at the debug was to see what username it was seeing in order to find the relevant ipassignment.conf entry.
To see who is connected with what IP, perhaps this will be helpful: https://community.checkpoint.com/t5/SmartConsole-Extensions/Show-VPN-Users/m-p/131493#M200 

View solution in original post

0 Kudos
17 Replies
the_rock
MVP Gold
MVP Gold
‎2023-03-02 03:26 PM
Jump to solution

I dont believe you could search by say file name itself, but what you can do is something like below (in logs and monitor from smart console, just do below search, assuming say OM ip someone gets is 172.16.10.55)

blade:VPN AND src:172.16.11.55

Hope that helps.

Andy

 

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-02 04:43 PM
Jump to solution

From https://support.checkpoint.com/results/sk/sk113461 it appears you might find this in vpnd.elg.
You'll probably need to enable debugging of this process, however, which is done as follows:

# vpn debug trunc
# vpn debug on TDERROR_ALL_ALL=5

Then review $FWDIR/log/vpnd.elg* for the relevant user.
To disable debug:

  • vpn debug off
  • vpn debug ikeoff

As debugs can cause extra load, you may want to do this during off hours or a maintenance window.
See also: https://support.checkpoint.com/results/sk/sk180543 

0 Kudos
Net_Works
Contributor
‎2023-03-03 02:47 AM
In response to PhoneBoy
Jump to solution

Thanks PhoneBoy -- this has provided some useful info however, not managed to capture the individuals vpn negotiations or address assignment.

Running 81.10 BTW

0 Kudos
Net_Works
Contributor
‎2023-03-03 03:06 AM
In response to Net_Works
Jump to solution

Have managed to resolve this issue -- the user had changed his name in AD (from Rob to Robert) so the ipassignment.conf file was being ignored.

Would still be useful to find how to debug this.

Thanks

the_rock
MVP Gold
MVP Gold
‎2023-03-03 05:24 AM
In response to Net_Works
Jump to solution

Good job! 👍

Hope below links are useful for debugging on top what @PhoneBoy gave you.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-03 05:38 AM
In response to the_rock
Jump to solution

How could these be usefull ? The two provided links are supported in ancient EOL versions only...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-03 05:40 AM
In response to G_W_Albrecht
Jump to solution

Correct, thats what it says, but TAC also used them few times on the phone, so they definitely do apply even in new versions. I suppose the articles were not updated to reflect so.

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-03 05:43 AM
In response to the_rock
Jump to solution

But in fact they state explicitely the opposite: This solution is about products that are no longer supported and it will not be updated

So i would rather not suggest them to anyone when supported alternatives are available.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-03 05:49 AM
In response to G_W_Albrecht
Jump to solution

I agree, so maybe TAC people should be advised not to use them any longer 😂

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-03 05:59 AM
In response to the_rock
Jump to solution

No, TAC can use anything, but i think you should avoid refering to unsupported SKs - sk30583: What is FW Monitor? has all of that in an officially supported SK...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-03 06:01 AM
In response to G_W_Albrecht
Jump to solution

Personally, I dont care what they use, as long as problems are fixed 😊

Best,
Andy
0 Kudos
Net_Works
Contributor
‎2023-03-03 06:58 AM
In response to the_rock
Jump to solution

Thanks Andy -- second link is useful 👍

the_rock
MVP Gold
MVP Gold
‎2023-03-03 07:05 AM
In response to Net_Works
Jump to solution

Glad its useful. But, @G_W_Albrecht is correct, it does indeed mention its not officially supported, but TAC used it with me over the phone few times, so must be still "valid" ; - ). Not to sound ironic now, but again, personally, @Net_Works I could care less who I talk to and what methods are used, the end goal is to fix the issue and Im sure thats what every client cares about 🙌

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-03 04:46 PM
In response to Net_Works
Jump to solution

The point of pointing you at the debug was to see what username it was seeing in order to find the relevant ipassignment.conf entry.
To see who is connected with what IP, perhaps this will be helpful: https://community.checkpoint.com/t5/SmartConsole-Extensions/Show-VPN-Users/m-p/131493#M200 

0 Kudos
Net_Works
Contributor
‎2023-03-05 07:35 AM
In response to PhoneBoy
Jump to solution

Thanks PhoneBoy -- will take a look on Monday 😉

Net_Works
Contributor
‎2023-03-06 10:46 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy -- this is a really useful cli output (fw tab -t . . . ) and does provide me with the details of the username which I could have cross referenced with the ipassignment.conf file 👍

Thanks all for your contributions.

the_rock
MVP Gold
MVP Gold
‎2023-03-02 04:56 PM
Jump to solution

Also, not sure if below might be 100% applicable, but worth a look.

https://support.checkpoint.com/results/sk/sk105162

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events