CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 40 of 40

Thread: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

  1. #21
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I did it a slightly simpler way. I threw a quick FTP on my windows box and transferred it that way. Have it open in InfoView right now.

    Collecting data and will post back. Thanks.

  2. #22
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    That works to, but learn scp as a side project after you've defeated this vpn issue. It doesn't require any network connectivity that isn't already setup if you can ssh to a firewall. Also doesn't require admin privs on your window workstation.

  3. #23
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Been a long day. Learned a lot.

    Before I even move on to the things below. Looks to me that I'm having a problem with one of the 2 680's. At 1:34 (34 seems pivotal) as it seems these disconnections while happening at other times, do seem to happen at 34 minutes after every hour. Right as my persistant ping stopped the one GW issued a Phase 1 Received Notification from Peer: invalid cookie changed status to down msg, the a quick mode completion.

    In addition to this, my laptop connected to that device via Checkpoint Endpoint Connect disconnected as well. Does seem that this GW is having its problems.

    Is there anything we can gather from this information? I'm going to change the power supply, do a hard reset back to base firmware and re-install latest firmware. Anything else I can/should be looking at? Take the info below with a grain of salt. I thought I was honeing in on the problem, but now I see I'm still very much in the weeds.

    Under my current configuration the Tunnel fails at the 33 minute 51: seconds of each hour.

    Ike logs show one side with no errors. The other side has 1 P1 error.

    Not sure how to interpret the ikelog other than to say the failure seems to be in Phase I??? Does the list of transitions mean that it's failing to negotiage a P1 encryption? Right now my encryption is set to Default (most compatible). Should it be changed to something else?

    Here's something else that I think I just saw: At the time the tunnel came down I also saw my laptop which was connected with "Check Point Endpoint Connect" to the same device become disconnected. This is interesting.

    Also, Just saw the tunnel go down 2 more times. First time with a similar message to the security log below, 2nd time with a few malformed payloads and similar log file below.

    Click image for larger version. 

Name:	ikelogfailure.jpg 
Views:	137 
Size:	104.6 KB 
ID:	1120

    Security Log shows this:

    Click image for larger version. 

Name:	tunnelfail.jpg 
Views:	122 
Size:	78.9 KB 
ID:	1121
    Last edited by roveer; 2016-04-27 at 01:43.

  4. #24
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Click on the MM1 - MM 5 packets. You'll need to compare both sides. I think you can run 2 IKE windows at the same time. Read through each.

    If you nail down a encryption methods it should lower the amount of data being sent.

    That being said, it seems like a phase I is breaking. Thing that happen at this level.

    1. IKE encryption / hash methods.
    2. life time values
    3. authinication (Certs in this case).

    What it does not include.
    Encryption domains! This in theory doesn't involve the subnets behind the firewalls.

    I'm guessing cert issue at the moment. You might need to turn on vpnd debugging also. Again i haven't trouble shoot many cert issues so someone else might need to pipe in.

    If you can see if you can screen shot those MM1 - MM2 packet. Click right on that part of the packet and show ike view from both firewalls.

  5. #25
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Thanks so much for the input. I'm on the road today but will do this when I'm back in front of the traces.

    I didn't see anything that shouted "error" but looking at both sides should tell the story. I'm also looking at the traces to figure out how to sanitize them so I can share.

    I've got 2 1100 units that I can swap in for test but they will be running on 30 day trial license. That might be helpful.

    Roveer

  6. #26
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    If you have 2 more why don't you put the extras back to back to each other (wan to wan) and see if you can recreate the issue. If you can that tells us its not related to the production firewalls or anything between them.

    Also means you could upload the test ike files somewhere and not worry about what is visible.

    BTW is there any chance these devices are using PPPoE?

  7. #27
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    My thoughts exactly. I was thinking about doing that to see if I can duplicate the problem. I might take one and swap it into my current configuration just to see what happens, but ifI decide not to do that I might take them and create my own little separate setup to see what happens.

    Thanks,

    Roveer

  8. #28
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Here are the Ike logs side by side

    Click image for larger version. 

Name:	ike.jpg 
Views:	85 
Size:	309.9 KB 
ID:	1123

  9. #29
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I've configured up on of the 1100's and put it on on side of the link. I'm going to see what happens over the next couple of hours. Right now the VPN is up on Certificates

    I'll throw the other 1100 on the other side of link if I have to to see what happens. I'm just having a little trouble getting it to the latest firmware. Both 1100's are on 30 trail license and one will update to latest firmware but the other one won't. Not sure why that's happening.

    Roveer

  10. #30
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Interesting. The tunnel has been up for almost an hour now and it just did another Quick Mode completion (3 entries on both sides) and is still up. If it survives the day I'm going to suspect the device on the side that I swapped with the 1100. I'll factory reset it and reconfigure fresh and see what happens.

    Roveer

  11. #31
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Tunnel has remained up for 5 hours with the 1100 on one side...

    I'm going to factory reset the 600 and configure it and put it back in place and see if it maintains the tunnel.

    One thing that is different about the 1100 vs the 600 is that the 1100 is running on the 30 day trail license. I have disabled all but the FW, & VPN (Remote Access & IPSEC) blades. The 600 was configured in a similar fashion with one exception. The 600 is registered but only has FW, Identity Awareness, Advanced Networking & IPSec VPN Blades licensed (expire never). I was told by my CP insider that this should be sufficient for what I am trying to do.

    I guess I should put the 600 back running the trail license and it it keeps the tunnel up I can then activate the license and see if the tunnel fails after an hour or two. If it does then I'd know that this entire problem is license related.

    I'll get to the bottom of this eventually. Remember, the IP/Presh sec VPN works just fine between the two 600's

    Roveer

  12. #32
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by roveer View Post
    Tunnel has remained up for 5 hours with the 1100 on one side...

    I'm going to factory reset the 600 and configure it and put it back in place and see if it maintains the tunnel.

    One thing that is different about the 1100 vs the 600 is that the 1100 is running on the 30 day trail license. I have disabled all but the FW, & VPN (Remote Access & IPSEC) blades. The 600 was configured in a similar fashion with one exception. The 600 is registered but only has FW, Identity Awareness, Advanced Networking & IPSec VPN Blades licensed (expire never). I was told by my CP insider that this should be sufficient for what I am trying to do.

    I guess I should put the 600 back running the trail license and it it keeps the tunnel up I can then activate the license and see if the tunnel fails after an hour or two. If it does then I'd know that this entire problem is license related.

    I'll get to the bottom of this eventually. Remember, the IP/Presh sec VPN works just fine between the two 600's

    Roveer
    I should have some free time this weekend. If you want i could give you a call to discuss. Maybe we could do a screen share session and take a look at it.

  13. #33
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Thank you so much for the generous offer. I'm not going to be around this weekend so nothing much will happen.

    The tunnel was still up this morning on the 1100 and I spent some time last night resetting and re-configuring the original 600 that appears to be causing the problem. I just haven't had the opportunity to swap it with the 1100. Since I have FIOS I have to call verizon when I do equipment swaps and have the lease dropped. Either that or wait 2 hours for it to happen automatically. Believe it or not, my home is a production environment and I have to think about service disruptions. Gotta keep the customers happy. :)

    So I'll swap the 600 back in on it's fresh config, do the cert swap and set up the CERT-VPN. I've spent so much time over the past 2 weeks I now know my way around the 600/1100 very well.

    I'm really hoping that the tunnel stays up on the 600. I bought these knowing the other blades would be disabled and I only wanted FW & IPSec VPN. I got 680's for max throughput. It's all about speed across the tunnel. I've also heard that running the other blades can contribute to performance degradation so I'm more than happy not running them.

    We are a very small construction company that likes to have robust enterprise grade equipment when possible, but my budget is basically 0. I ran VPN-1 EDGE for 7 years without a hitch, but now that WAN speeds are going up I decided it was time to get some more horsepower across that link. I move data off-site every night and use it to get access back to the office when necessary. It also serves our remote access needs.

  14. #34
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by roveer View Post
    Thank you so much for the generous offer. I'm not going to be around this weekend so nothing much will happen.

    The tunnel was still up this morning on the 1100 and I spent some time last night resetting and re-configuring the original 600 that appears to be causing the problem. I just haven't had the opportunity to swap it with the 1100. Since I have FIOS I have to call verizon when I do equipment swaps and have the lease dropped. Either that or wait 2 hours for it to happen automatically. Believe it or not, my home is a production environment and I have to think about service disruptions. Gotta keep the customers happy. :)

    So I'll swap the 600 back in on it's fresh config, do the cert swap and set up the CERT-VPN. I've spent so much time over the past 2 weeks I now know my way around the 600/1100 very well.

    I'm really hoping that the tunnel stays up on the 600. I bought these knowing the other blades would be disabled and I only wanted FW & IPSec VPN. I got 680's for max throughput. It's all about speed across the tunnel. I've also heard that running the other blades can contribute to performance degradation so I'm more than happy not running them.

    We are a very small construction company that likes to have robust enterprise grade equipment when possible, but my budget is basically 0. I ran VPN-1 EDGE for 7 years without a hitch, but now that WAN speeds are going up I decided it was time to get some more horsepower across that link. I move data off-site every night and use it to get access back to the office when necessary. It also serves our remote access needs.
    Gotcha, just so you know the 6xx and the 11xx are the same hardware. The new 7xx and 14xx have much faster CPUs and dual core vs single core.

    Good to hear you seem to be narrowing down the issue.

  15. #35
    Join Date
    2015-11-11
    Posts
    5
    Rep Power
    0

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Hi,
    also note that a new R77.20.20 firmware has been released with several stability fixes for VPN. One might be the issue you are experiencing.
    specifically item 01933754 in:
    https://supportcenter.checkpoint.com...ionid=sk110998
    even though this is not a 3rd party remote site.

  16. #36
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by netzercp View Post
    Hi,
    also note that a new R77.20.20 firmware has been released with several stability fixes for VPN. One might be the issue you are experiencing.
    specifically item 01933754 in:
    https://supportcenter.checkpoint.com...ionid=sk110998
    even though this is not a 3rd party remote site.
    Good to know.

    Both my boxes are on R77.20.11 (990171471) but when I click "check for updates" it says they are up to date. Why aren't I getting this latest update? Unfortunatly since neither of these boxes are currently under support I can't download or view any documents from my CP account. Based on the fact that neither of these are registered to me since I bought them on eBay I don't believe I can get them on support.

    For now I'm back on IP/Presh Sec and the VPN is up. Over the weekend I tried some more with certificates and the tunnel was staying up for many hours the most recent being up to about 1pm today. The logs indicate malformed payload then it would come down.

    It's possible that this newer firmware may address this but I'm not getting it automatically and don't have access to it.

    Roveer

  17. #37
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    yeah, the online update still isn't showing. I did a manual update and it took ok, which i know doesn't help.

  18. #38
    Join Date
    2015-11-11
    Posts
    5
    Rep Power
    0

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by jflemingeds View Post
    yeah, the online update still isn't showing. I did a manual update and it took ok, which i know doesn't help.
    It's being suggested via the online update in a gradual manner to devices. It will appear shortly.

    Roveer - if you can send your mac addresses (perhaps here via personal message) it can be specifically opened.

  19. #39
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    OK, I've got the 20.20 firmware for the 600 and will be applying it to both devices. If this does not resolve the issue I'm just going to go back to ip/presh sec. I can't spend any more time on this at this point. Let's hope for the best. I'll report back.

    -----[edit]-----

    20.20 FW installed on both boxes, vpn set back to Certificate and connected. Now we wait and see if the tunnel stays up. So far it hasn't lasted 24 hours. Let's see what happens now...

    Roveer
    Last edited by roveer; 2016-05-03 at 18:17.

  20. #40
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Tunnel lasted the night and is still up. I'm thinking this might be resolved now that I'm on the 20.20 FW. Will continue to monitor.

    -----[edit]-----

    Tunnel is still up 24+ hours. I'm going to consider this one fixed with latest firmware on both sides. Strange that a device that is nearly 5 years old would still have these kinds of issues. Not knowing what was available in previous FW versions I guess it's possible that CERT auth may not have even been available in previous versions so maybe this is only a 1-2 FW versions old problem. Either way, I'm happy that I have it running and hopefully if the IP changes it will dynamically update and reconnect which was the entire purpose of this exercise.

    Thank you to all of those who contributed. I very much appreciate it.

    Roveer
    Last edited by roveer; 2016-05-04 at 21:00.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Unable to access SSL Websites using IE8 on Windows 7/Vista. XP works fine.
    By Soccer8 in forum IPS Blade (Formerly SmartDefense)
    Replies: 4
    Last Post: 2010-04-08, 06:32
  2. how I can check SIC is workng fine
    By ASHISH SYAL in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 8
    Last Post: 2009-10-06, 05:15
  3. Replies: 3
    Last Post: 2009-03-23, 03:57
  4. Do Check Point Certs Expire ?
    By pat13b in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 2
    Last Post: 2007-09-20, 16:25
  5. a question about VPN using external certs.
    By derspot in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-12-29, 10:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •