CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Web Security > SSL Network Extender
SNX connection issue - no certificate popup SNX connection issue - no certificate popup
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-03-18
Junior Member
  
Join Date: 2008-03-14
Posts: 7
Rep Power: 0
caro06 has an average reputation (10+)
Default SNX connection issue - no certificate popup
Hi

I have problems when connecting to SSL gateway
Distributed architecture :
SmartCenter NGX R65 Win with SNX eval license
2 enforcement modules NGX R60 Nokia IP350

I configured as explained in the VPN guide but when I try to connect to the gateway (https), I can't obtain the certificate popup.

It seems that the gateway has no certificate ???

In the vpnd.elg, I get the following errors :

[vpnd 645 4796928]@fw1[17 Mar 18:17:27] VPN-1 daemon: starting debug - Mon Mar 17 18:17:27 2008

[vpnd 645 4796928]@fw1[17 Mar 18:17:28] vpn_trap: received RESTART_NEGS_WITH_IKESA
[vpnd 645 4796928]@fw1[17 Mar 18:17:28] vpn_restart_negs: Restart all negs with peer 00000000 and icookie 494a85c3c677be24
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] fwasync_conn_params: <ac105003,443> -> <ac105004,1521>
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Try connection type TCPT with 0 bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Connection type got 0, needs 4 bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Wait for 4 more bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Try connection type TCPT with 4 bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Try connection type SSL with 4 bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] async_mux_data_handler: Connection is of type SSL.
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] fwasync_set_opaque: 59: purging opaque 43944c0
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ssl_new_conn_handler: entering with 4 read bytes
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ssl_new_conn_handler: accepted new connection from 172.16.80.4:61701
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_PrepareConnection: verify mode: 0
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] My SSL Ciphers:
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] Cipher List:
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 0: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 1: DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 2: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 3: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 4: RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 5: ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 6: ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5

[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_NegotiateStep: current state = before/accept initialization
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] SSL e stack
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] 645:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:856
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_NegotiateStep: Current step failed. Error is: 336109761
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_fwasync_connected: no connections err -3
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_fwasync_close: start shutdown
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_ShutdownHandler: rc=1 (0) SSLv3 read client hello B
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_ShutdownHandler: sync shutdown (fd=59)
[vpnd 645 4796928]@fw1[17 Mar 18:17:34] ckpSSL_Destroy: closed fd 59
[vpnd 645 4799488]@fw1[17 Mar 18:17:46] signals_handler: dispatched signal 30 to handler 0x1b6d0
[vpnd 645 4796928]@fw1[17 Mar 18:17:46] VPN-1 daemon: stopping debug - Mon Mar 17 18:17:46 2008

Thanks for your help
Caroline
Reply With Quote
  #2 (permalink)  
Old 2008-03-25
Junior Member
  
Join Date: 2008-03-14
Posts: 7
Rep Power: 0
caro06 has an average reputation (10+)
Default Re: SNX connection issue - no certificate popup
Hi everybody

I post this message to explain how this issue was solved, if anybody is interested in.
I think the problem was coming from certificate exchange between the SmatCenter and the modules.
I had to upgrade to R65 anyway so I began by the SmartCenter but the problem was still the same. Then I upgraded the modules one by one (IPSO + checkpoint packages) and rebooted them.
After that, no more problem, without changing any configuration.
Unfortunately, I didn't test just to reboot or reinitialize the SIC before the upgrade of the modules so I will never exactly know the reason.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 17:51.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0