Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Net_Works
Contributor
Jump to solution

ipassignment.conf -- is there a logfile to check assignment requests

Hi All,

I have a user connecting to the gateway via VPN (SAML authentication). They pass SAML authentication via identity provider but get assigned the wrong IP address. Although they are setup in the 'ipassignment.conf' file, they keep getting an IP address from the general pool that is setup on each cluster member. I have checked the syntax in the ipassignment.conf and satisfied they have been configured correctly. 

Is there a logfile anywhere that I can troubleshoot this to check that the  ipassignment.conf file is being queried?

Thanks in advance.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

The point of pointing you at the debug was to see what username it was seeing in order to find the relevant ipassignment.conf entry.
To see who is connected with what IP, perhaps this will be helpful: https://community.checkpoint.com/t5/SmartConsole-Extensions/Show-VPN-Users/m-p/131493#M200 

View solution in original post

0 Kudos
17 Replies
the_rock
Legend
Legend

I dont believe you could search by say file name itself, but what you can do is something like below (in logs and monitor from smart console, just do below search, assuming say OM ip someone gets is 172.16.10.55)

blade:VPN AND src:172.16.11.55

Hope that helps.

Andy

 

0 Kudos
PhoneBoy
Admin
Admin

From https://support.checkpoint.com/results/sk/sk113461 it appears you might find this in vpnd.elg.
You'll probably need to enable debugging of this process, however, which is done as follows:

# vpn debug trunc
# vpn debug on TDERROR_ALL_ALL=5

Then review $FWDIR/log/vpnd.elg* for the relevant user.
To disable debug:

  • vpn debug off
  • vpn debug ikeoff

As debugs can cause extra load, you may want to do this during off hours or a maintenance window.
See also: https://support.checkpoint.com/results/sk/sk180543 

0 Kudos
Net_Works
Contributor

Thanks PhoneBoy -- this has provided some useful info however, not managed to capture the individuals vpn negotiations or address assignment.

Running 81.10 BTW

0 Kudos
Net_Works
Contributor

Have managed to resolve this issue -- the user had changed his name in AD (from Rob to Robert) so the ipassignment.conf file was being ignored.

Would still be useful to find how to debug this.

Thanks

G_W_Albrecht
Legend Legend
Legend

How could these be usefull ? The two provided links are supported in ancient EOL versions only...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Correct, thats what it says, but TAC also used them few times on the phone, so they definitely do apply even in new versions. I suppose the articles were not updated to reflect so.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

But in fact they state explicitely the opposite: This solution is about products that are no longer supported and it will not be updated

So i would rather not suggest them to anyone when supported alternatives are available.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I agree, so maybe TAC people should be advised not to use them any longer 😂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

No, TAC can use anything, but i think you should avoid refering to unsupported SKs - sk30583: What is FW Monitor? has all of that in an officially supported SK...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Personally, I dont care what they use, as long as problems are fixed 😊

0 Kudos
Net_Works
Contributor

Thanks Andy -- second link is useful 👍

the_rock
Legend
Legend

Glad its useful. But, @G_W_Albrecht is correct, it does indeed mention its not officially supported, but TAC used it with me over the phone few times, so must be still "valid" ; - ). Not to sound ironic now, but again, personally, @Net_Works I could care less who I talk to and what methods are used, the end goal is to fix the issue and Im sure thats what every client cares about 🙌

0 Kudos
PhoneBoy
Admin
Admin

The point of pointing you at the debug was to see what username it was seeing in order to find the relevant ipassignment.conf entry.
To see who is connected with what IP, perhaps this will be helpful: https://community.checkpoint.com/t5/SmartConsole-Extensions/Show-VPN-Users/m-p/131493#M200 

0 Kudos
Net_Works
Contributor

Thanks PhoneBoy -- will take a look on Monday 😉

Net_Works
Contributor

Hi PhoneBoy -- this is a really useful cli output (fw tab -t . . . ) and does provide me with the details of the username which I could have cross referenced with the ipassignment.conf file 👍

Thanks all for your contributions.

the_rock
Legend
Legend

Also, not sure if below might be 100% applicable, but worth a look.

https://support.checkpoint.com/results/sk/sk105162

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events