Changed external IP address - now get Communication with site x.x.x.x has failed

[hammop1]

Hi,

I have just moved our NGX R60 gateway to a new site and chznged its external IP address. Site-to-site stuff is working, but SecureClient users can't create the new site. It just says "Error: Communication with site x.x.x.x has failed".

I am not a Check Point expert, it is one of many things I have to manage. I have searched this forum but didn't find a fix that worked for me.

I am wondering if it is a licensing problem? I have trouble applying the licence for the new IP address and found it pretty confusing, as to exactlyu what we have got a licence for. I'm wondering if we don't now have a valid licence for remote VPN users?

This is what it says in SmartUpdate:

Features: cpxp-ci-vpx-50-ngx cpxp-sc1-50-mgmt-ngx
License for: VPN-1 Express CI Gateway for 50 users, including A/V. SmartCenter for 1 site; version: NGX; 3DES

If not a licensing problem, does anybody have any suggestions? Remote users can ping the gateway at the new address, but I don't see anything on the log, or fw monitor when I try to create the site (except when trying Visitor Mode, but it still fails).

[melipla]

Could the access to the new gateway IP be filtered somehow? Creating a new site uses TCP port 264. Can you connect to that port remotely?

telnet <gateway IP> 264

As for the license, that only appears to be a SmartCenter one, not a SecureClient license. Do you have any other licenses?

[hammop1]

I did try that, an no I could not telnet to the new address on TCP port 264. I am pretty sure there is no firewall blocking that port, so I can only assume that the gateway is dropping those packets.

For the licence, I went to the user centre and eventually worked out how to change the IP address., It is a local licence. I then downloaded the .lic file (Check Point also emailed it to me with instructions), and applied it. But yes, I am wondering if you need a nother licence component for remote access? The other aspects of the VPN/firewall are working fine.

Thanks for the ideas.

[rubber_chicken]

Is your gateway configured to listen on all interfaces for RAS VPN?
If so, can you make a sucessful connection from inside (on the trusted network)?

If port TCP 264 is blocked as referred to by melipla then a cheat is:

Take a copy of the userc.c file and give it to the remote users.
Get them to stop secureclient services
copy this file into c:\program files\checkpoint\secureremote\database (from memory)
Overwrite the one that is there
Start the services back up.

I've used this in the past where users have not been able to create the site because of blocked ports.

It's a rough hack, but it worked.

Maybe worth a try?

[hammop1]

Hmm, I CAN add a new site when coming from the internal network. How do I configure the gateway to listen on all interfaces? I don't remember having to do that before, and I can't see where to configure it.

Also, I don't know if this is relevant, but when I go to the Check Point gateway's properties, General tab, and click Get Address it returns the address of an internal adapter, not the external one (this is different behaviour to another Check Point gateway I have elsewhere, which is why I mention it). In the Topology tab, the interfaces are correctly configured for External or Internal.

Thanks again for the suggestions. I shall look into the userc.c idea.

[melipla]

Quote:

Originally Posted by hammop1

Hmm, I CAN add a new site when coming from the internal network. How do I configure the gateway to listen on all interfaces? I don't remember having to do that before, and I can't see where to configure it.

Also, I don't know if this is relevant, but when I go to the Check Point gateway's properties, General tab, and click Get Address it returns the address of an internal adapter, not the external one.

The fact that your "Get Address" returns the internal IP may be cause of the problem, as SecureClient will use that IP if your VPN -> Link Selection is set to "Main Address" [which is the default]. Is eth0 defined as your external interface? If you go to the command line of the gateway and run "sysconfig", select option "5" Network Connections, then option "4" Select management connection, is that set to your external interface? From the command line, do an ifconfig and make sure that it matches the topology configuration on the gateway object.

[hammop1]

It's actually a Windows 2003 box, not SPLAT or whatever (cue derisive remarks), so no sysconfig. But the main address in the General tab is set (by hand) to the external address, and as I say in Topology the interfaces are correctly configured to External or Internal. It all looks very similar to another Win2003 Check Point box that is working correctly.

Except on that one, "Get address" returns the external address. I'm wondering what basis "Get address" uses to select the address? Maybe I will try forcing the external address in VPN tab/Link Selection/IP Selection by Remote Peer.