Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff-Gao
Explorer

Connection failed: Negotation with site failed

Dear

My version: R81.10,hotfix is T66

I configure the gateway as a vpn gateway,and the vpnn gateway location internal network,i mapping it by internet firewall.GW VPN port is 10443 on the visitor mode.

I test it,i can successfull connect to vpn on internal network.but i can not connect to vpn on internet.the connected informations as fowwowing:

11WX20220911-154952@2x.png
 

 

 

0 Kudos
17 Replies
_Val_
Admin
Admin

There can be tons of reasons for that, you need to see the logs both from the FW and the client for more details.

0 Kudos
Jeff-Gao
Explorer

Internal pc connect to vpn working well,but i map the vpn gw to internet with PAT,client can not working,I think this is checkpoint issue,

if need to see the gw logs,how to see the gw logs,thanks!

0 Kudos
PhoneBoy
Admin
Admin

Is some other device doing the NAT?
This probably won't work if so...

0 Kudos
Jeff-Gao
Explorer

@PhoneBoy 

Thanks!

The topology:

internet-----CP 1550 fw------R81.10 virtual fw

cp-1550 is the edge firewall, R81.10 virtual fw is the internal vpn gw and is mapped with cp-1550 firewall

You said that this probably won't work,why?

0 Kudos
PhoneBoy
Admin
Admin

What is the precise NAT configuration on the 1550?
Or if that device isn't doing the NAT, what is and what is its precise configuration?

What is the configuration on the R81.10 system with respect to Remote Access?
Did you configure Link Selection and the Visitor Mode port?
I'm fairly certain you cannot "PAT" the Visitor Mode port to a different port (e.g from 10443 to 443) because of how the client stores/validates this information.
If you set the Link Selection on the R81.10 gateway and the Visitor Mode port used to match what your clients actually connects to initially (which means Link Selection IP of 58.33109.55 and Visitor Mode port of 10443), it might work.
Without doing that, I would not expect it to work.

0 Kudos
Jeff-Gao
Explorer

R81.10 vpn gw visitor mode port is 2443(I have modify the port from 10443 to 2443) and the 1550 map from 2443 to 2443.

Link selection ,i set the value "statically NATed IP:58.33109.55"

0 Kudos
the_rock
Champion
Champion

Would you mind attach screenshots of how this is configured? I think it would help us help you solve this. By the way, did it ever work or its brand new config?

Andy

0 Kudos
Jeff-Gao
Explorer

This is new config  and the configure as following:

 
  • Enable IPsec VPN

1.png

  • Enabled NATt by default

3.png

 

  • The visitor mode port is tcp2443

4.png

 

The belowing is the RemoteAccess community configuration 

 

5.png

 

6.png

 

 

0 Kudos
Jeff-Gao
Explorer

The attachment file is the  endpoint trac.log,i can not found any available error or alerts

0 Kudos
PhoneBoy
Admin
Admin

Are you also port forwarding the NAT-T port (4500)?
Because that's where it looks like it is failing, if I'm understanding these debug logs correctly.

0 Kudos
Jeff-Gao
Explorer

Yes,i also map the NAT-T port,but still can not connect successfull.

we can connect successfull when i disable the securexl both cp-1550 and R81.10.

0 Kudos
the_rock
Champion
Champion

You may wish to contact TAC and have them give you right flags to debug securexl or refer to below:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
PhoneBoy
Admin
Admin

If disabling SecureXL "solves" a problem, contact TAC.

0 Kudos
Blason_R
Advisor

This is SecureRemote - Have you tried enabling vpn debug and collect logs from client side? That should show the reason. Plus what is the VPN link selection IP address specified?

0 Kudos
the_rock
Champion
Champion

The guys definitely brought up all the good reasons. Enable debugs and also collect client logs. But, before all that, make sure all the office mode settings are correct on the gateway.

0 Kudos
Blason_R
Advisor

I guess this might not work since the tunnel_test packet I believe might not be able to route back since its SecureRemote. Since firewall gives a fake IP address and here I believe firewall is behind nat device it would not know where to route the tunnel_test packet.

0 Kudos
(1)
the_rock
Champion
Champion

Good point actually, I did not realize from that screen if was secureremote...

0 Kudos