This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
spantazis
Explorer
‎2023-08-22 11:05 PM

MULTIPLE DOMAINS IN REMOTE ACCESS VPN

Hello,

We have a cluster of 6400 firewalls. Client based Remote access VPN is enabled for our remote users.

In the beginning, all our users belonged in one domain (on premise AD, not Azure AD). So we configured rules properly (access roles based on OUs in AD, LDAP Groups, etc) for our remote access users.

However we want users from another domain to participate in the remote access VPN configuration. We created all the previous (access roles based on OUs in the other AD, LDAP Groups, etc) but when we try to enter credentials from the 2nd domain we receive the error "Negotiation with site failed". 

Regards,

Ioannis

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-08-23 05:45 AM

Do you have multiple LDAP account units configured and what username format are the users attempting to authenticate with?

CCSM R77/R80/ELITE
0 Kudos
spantazis
Explorer
‎2023-08-23 06:08 AM
In response to Chris_Atkinson

We have configured two LDAP account units. The username format is the user logon name in the AD. This works for users located in one of the LDAP account units but not working for the other one. 

0 Kudos
the_rock
Legend
Legend
‎2023-08-23 06:17 AM
In response to spantazis

Usually, that error negotiation with site failed would refer to IP or fqdn not responding from user's machine. Can you have them try with IP address instead of fqdn and see if same problem is there? Also, check the logs in smart console when they try connetc, it should give some clues.

Andy

0 Kudos
Daniel_3
Participant
‎2023-08-23 06:40 AM
In response to spantazis

Did you already try the configuration according to these screenshots to include all LDAP directories? Screenshot 2023-08-23 153655.pngScreenshot 2023-08-23 153819.png

 

0 Kudos
_Val_
Admin
Admin
‎2023-08-23 06:44 AM
In response to Daniel_3

Now, show User Directories please

0 Kudos
spantazis
Explorer
‎2023-08-25 01:02 AM
In response to _Val_

Hi,

The configuration is the same with screenshots.

I also tried connect to the site with FQDN and IP address.

Also attached the log message from the failed connection, policy action is Key Install.

Preview file
83 KB
Preview file
29 KB
Preview file
5 KB
0 Kudos
_Val_
Admin
Admin
‎2023-08-23 06:43 AM

It looks like your GW is failing to authenticate the user, check VPN logs on the GW side.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events