Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dale_Lobb
Advisor

CheckPoint Mobile Ike Cert error

I have a pair of 1550s clustered through ClusterXL serving as a remote access gateway for a small group of users.  The remote users are all using the CheckPoint Mobile client.

The 1550 SMB cluster is running R80.20.35. These are centrally managed devices, so upgrade to R81 is not possible, yet.

What we see is that after 4 to 8 days of use, all the mobile clients will start throwing an error when they try to set up the VPN tunnel. The error is:

    Connection Failed, VPN-1 server could not find any certificate to use for IKE

    Dale_Lobb_0-1663261817662.png

The simple work-around we have discovered is to push policy to the 1550 cluster. No changes are required, merely push the policy. The mobile clients all start working immediately again after the policy push is complete.

One oddity about this setup is that the cluster is not using an IPSec certificate from the management server's internal CA. We have instead loaded a cert from the public CA (Sectigo) for this purpose, so that external clients can use the DNS name of the external cluster VIP rather than be required to use IP address for connections.

Has anyone seen anything like this before?

0 Kudos
6 Replies
the_rock
Champion
Champion

Not to sound like a stupid question, but, did you make sure vpn cert on the fw is good?

Andy

0 Kudos
Dale_Lobb
Advisor

Yes, assuredly.  The cert is good until 4/15/2023.  And it does work for days at a time to over a week at a time.  BTW: The VPN cert is the "Oddity" I mentioned originally.

Ah, unless you meant the remote side.  The remote side is using the CheckPoint Mobile client, which I assume has a cert that it creates upon installation. 

Thanks for the reply!

Dale

 

0 Kudos
the_rock
Champion
Champion

As long as any relevant vpn certs are valid, thats all I was wondering. When did this start happening?

0 Kudos
PhoneBoy
Admin
Admin

All the various SKs on this suggest the certificate is expired and needs to be renewed.
Perhaps the certificate gets "lost" along the way and a policy install restores the certificate.
This definitely requires a TAC case.

0 Kudos
the_rock
Champion
Champion

The more I think about it, more I agree with @PhoneBoy . I cant say I had ever seen issue like that with vpn cert in my 15 years dealing with CP...I had seen case where if you click on vpn cert, it says that its either corrupted or some database related error, but never have I encountered a case like yours. I think TAC case might be your best bet, as they may suggest further debugging to see what is causing this. It honestly makes no sense to me that policy push would cause this to go away.

Just to be 100% sure, when you click to view VPN cert, it does not give any warning or error?

Andy

0 Kudos
kaz
Explorer

Did you end up opening a case on this? We renewed our VPN cert just about a week ago (first time in a few major revs) and we saw the same behavior today, and it seems to have subsided after a policy install, even though it's not the first policy install since last week. 

0 Kudos