This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HerbertP
Explorer
Wednesday

R82.00.10 Remote Access using Cert seems broken

Hello,

after following the issues with R82.00.10 for a while, I have now tried to upgrade one locally managed appliance 1535 to 

R82.00.10.

Now clients using remote acess with certificate based auth can no longer reach internal hosts via vpn.

Windows and IOS Client (cert based auth is the only working way to use vpn on demand and split tunneling  on IOS) can connect, the office mode address is assigned and routing seems to be correctly set on the client, but traffic does not reach internal sites.

When the client is connected, the UI VPN/Connected remote users does not show that the users are connected.

Is this an know issue, is there a solution, as this completly breaks functionality.

Thanks

0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Wednesday

Suggest this will need an SR with TAC if not already?

Please also confirm the build of R82.00.10 image used and the applicable Endpoint client version/s?

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
Wednesday

What build of R82.00.10 did you load?
There's a known issue with certificate validation in some releases: https://support.checkpoint.com/results/sk/sk184766
My understanding is that build 998002133 (currently linked in the R82.00.10 SK) should contain the CRL fix. 

0 Kudos
HerbertP
Explorer
Wednesday
In response to PhoneBoy

The build 998002133 is exactly the version I have loaded. This seems to be an issue, where after successful auth. the traffic on the smb device is not linked to the user that has been authenticated. 
When the clients are connected and authenticated, I can see traffic drops originating from the clients office mode ip. When I add a rule src:<dynamic-office-mode-ip> the traffic passes instead of being matched via the remote access rule (user, not group) that worked in previous versions.

Additionally the gw ui does not show the connected user as authenticated.

To me this is bug on the gw-side.

 

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to HerbertP

You wouldn't be getting this far if the CRL bug were involved.
Suggest a TAC case here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events