This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
HarryB
Participant
‎2018-11-21 02:43 AM

VPN (certificate) problem after upgrade to R80.20

Hello,

after an Upgrade of our Management from R77.30 to R80.20 we had problems with VPN tunnels between our firewall cluster and Checkpoint Appliances (11xx;14xx)

After rollback to R77.30 all VPN are up and running without problems.

Management = R80.20
Cluster Member = R.77.30
1430 Appliance = newest firmware

1120 Appliance = not the latest firmware
They will not be up with following error message (see attachment)

Besides the upgrade, the only change is that management has moved from an IBM hardware server to a VM.

Does anyone have any idea how to fix it?

Regards

Harald

Preview file
17 KB
Reply
7 Replies
Jerry
Leader
Leader
‎2018-11-21 03:13 AM

have you tried to re-generate SIC's to ie. one gateway (in order to test if all works just fine) ?

if it does help - you know the drill Smiley Happy

Jerry
0 Kudos
Reply
HarryB
Participant
‎2018-11-21 03:24 AM
In response to Jerry

Yes. We have done this. No success.
We also tried to "degrade" the appliance to local management and after policy install switch back to central management. Also no success.

0 Kudos
Reply
Egor_Cherkasov
Contributor
‎2018-11-21 04:06 AM

Hello,

There are SKs, where you can find possible sources of failure because of invalid certificate. 

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

Also I'd like to recommend to check your IKEs by means of :

#vpn debug on
#vpn debug ikeon
#vpn tu

Log Files are:

#$FWDIR/log/ike.elg
#$FWDIR/log/vpnd.elg.

Good luck!

Reply
HarryB
Participant
‎2019-01-24 11:31 PM

Hi,

we were able to find out that this was a certification issue.

Ike: Main Mode Expected to get certificate whose root CA is ADDTrust_External_CA_Root, got certificate whose root CA is COMODO

Reject Category: Gateway to Gateway authentication failure
After deleting the certificate, the VPN tunnel was established.
The certificate was first installed in 2014 and extended in 2017. With R77.30 in the whole time no problems.
I need to renew and reinstall the certificate because we need it for the SSL extender.
Does anyone have any idea what the problem may have been.
I fear the new certificate could also be problematic.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-01-25 11:15 PM
In response to HarryB

Possible the VPN certificate expired and just needed to be regenerated.

0 Kudos
Reply
HarryB
Participant
‎2019-01-28 04:50 AM
In response to PhoneBoy

No. The certificate was not expired That was not the problem.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-01-28 06:09 AM
In response to HarryB

Looks like the expected CA of the certificate changed (if I'm reading the error message better than I was before).

That will certainly cause an issue.

0 Kudos
Reply