CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
2. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
3. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Web Security > Connectra
Reload this Page Remove specific user connection entry
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-10-22
lamerz lamerz is offline
Junior Member
  
Join Date: 2007-10-17
Posts: 2
Rep Power: 0
lamerz has an average reputation (10+)
Default Remove specific user connection entry
While trying to figrue out what caused my clients to time out using SNX application mode after one hour with the error "VPN failed to update Connectra", I found a way to remove a specific user connection. I thought it could be usefull if you don't want to reset everyone and clean some unused connections.

Here's how to kick out the user foobar:

1/ user_monitor start
2/ stattest gettable "1.3.6.1.4.1.2620.1.9004.1" 2 19 32 > userslist.txt
You will need to interrupt this when you get enough users.

3/ sort -u userslist.txt | grep foobar | cut -d',' -f3
We will need to find an id which corresponds to user foobar, let's call it foobar_id.
You can have more than one entry for a user, I don't konw what causes this but on my system it's usually badly closed portal sessions.

4/ fw tab -t cvpn_snx_session -u | grep foobar_id
Now we need to find the user in the table to remove it; we will get what I call idsnx and idsessionsnx

5/ fw tab -t cvpn_snx_session -x -e "idsnx;idsessionsnx"
With previous gathered parameters we can remove this user; his opened tunnels won't be disconnected but he'll need to reauthenticate if he launches a new tunnel.


using 4/ and 5/ clear cvpn_session too to remove portal entry.

example:
[Expert@connectra]# fw tab -t cvpn_snx_session -u | grep 47ea4de4
<47ea4de4; 7b9ad000; 3570/3600>

[Expert@connectra]# fw tab -t cvpn_snx_session -x -e "47ea4de4;7b9ad000"
Entry <47ea4de4>
deleted from table cvpn_snx_session

Back to my original problem, it seems that cvpn_snx_session has a 3600s timeout; if you launch an SNX application mode, open one ssl tunnel and you don't open other tunnels for one hour this timeout does not refresh itself. If you launch another tunnel after one hour, your currently opened tunnel will close and you'll get this error "VPN failed to update Connectra" (very annoying for my users). Checkpoint provided me a fix I need to test.

PS: used on Connectra R62HFA01
Reply With Quote
  #2 (permalink)  
Old 2007-11-16
RiverStone RiverStone is offline
Junior Member
  
Join Date: 2007-06-19
Location: Ohio, USA
Posts: 15
Rep Power: 0
RiverStone has an average reputation (10+)
Default Re: Remove specific user connection entry
Lamerz,

Thanks. This will be useful. I have already added it to my notes.

RiverStone
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 20:48.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0