CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Something weird with VPN

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Something weird with VPN

    Hi Guys,

    Would like to share my scenario and wanted to see if any help can be received to troubleshoot my issue. here is the story

    1. I had standalone firewall and remote firewall being managed by Centralized Mgmt Server.
    2. Remote Server is being managed using Public IP that is Mgmt is natted behind Public IP
    3. And there was a VPN configured between local firewall [4600] and this remote firewall [2100]
    4. This saturday we got one more 4600 hence decided to convert into VRRP Cluster.
    5. Cluster configuration went properly; however since that time my VPN between this pair broke and I tried all the possibilities I am aware of to troubleshoot without any luck.
    6. Since both are being managed by same Mgmt server; obiviosuly its a certificate based VPN.
    7. While debugging I noticed that P1 is getting complete while P2 failing on Packet 2 states Invalid-Certificate
    8. After two days of struggle I raised a case with TAC and they struggled as well and finally uploaded the logs with them.



    Any clue guys what else could be checked to make the VPN up?

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    8

    Default Re: Something weird with VPN

    When you upgrade to a cluster, be aware that the certificate is now isued to the cluster object, not to the individual cluster members node.
    There is mayba an older node based cert causing trouble.

  3. #3
    Join Date
    2014-09-02
    Posts
    356
    Rep Power
    10

    Default Re: Something weird with VPN

    I would try this, in hopes of forcing things a bit:
    - Remove VPN option (uncheck box) on cluster and remote GW (will have to remove both from community first)
    - Install policy to both
    - Re-enable VPN and re-add both to community
    - Re-install policy

    If that doesn't help, here are a couple of questions that may help further investigation:
    - Is the name of the cluster different than the name of the original standalone GW?
    - Is the cluster's "Main IP" (or chosen Link Selection option) is the same as the original standalone GW?


    -E

  4. #4
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Something weird with VPN

    Quote Originally Posted by slowfood27 View Post
    When you upgrade to a cluster, be aware that the certificate is now isued to the cluster object, not to the individual cluster members node.
    There is mayba an older node based cert causing trouble.
    I did delete the earlier node and installed the policy/database couple of times. Is there anything else that needs to be taken care of?

  5. #5
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Something weird with VPN

    Quote Originally Posted by EricAnderson View Post
    I would try this, in hopes of forcing things a bit:
    - Remove VPN option (uncheck box) on cluster and remote GW (will have to remove both from community first)
    - Install policy to both
    - Re-enable VPN and re-add both to community
    - Re-install policy


    Let me try that. However since Remote Access Users might be connected to the Cluster it would not be ideal solution to carry out the said activity.

    If that doesn't help, here are a couple of questions that may help further investigation:
    - Is the name of the cluster different than the name of the original standalone GW? -Yes it is different, that has to be the same?
    - Is the cluster's "Main IP" (or chosen Link Selection option) is the same as the original standalone GW? Yes, previously it was Physical IP; now its VRRP IP.


    -E
    If that doesn't help, here are a couple of questions that may help further investigation:
    - Is the name of the cluster different than the name of the original standalone GW? -Yes it is different, that has to be the same?
    - Is the cluster's "Main IP" (or chosen Link Selection option) is the same as the original standalone GW? Yes, previously it was Physical IP; now its VRRP IP.

  6. #6
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Something weird with VPN

    Unfortunately I am completely stuck with this issue. Not sure what is wrong even TAC is working on the issue for past 3 days.

    Can someone please help if I send ike debug in private?

  7. #7
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Something weird with VPN

    Quote Originally Posted by blason View Post
    Unfortunately I am completely stuck with this issue. Not sure what is wrong even TAC is working on the issue for past 3 days.

    Can someone please help if I send ike debug in private?
    OK - Finally I was able to resolve the issue on my own by renewing cert from IPsec VPN tab and adding Public IP address under masters file instead of hostname.
    Thanks a ton guys for your valuable input.

Similar Threads

  1. Weird Issue with Cluster XL
    By dub_boy2k in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2011-07-12, 22:25
  2. Weird log (un)seen problem
    By vbavbalist in forum Check Point UTM-1 Edge Appliances
    Replies: 0
    Last Post: 2009-12-21, 09:13
  3. Weird problem
    By danilody in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2007-09-07, 06:08
  4. Weird rand_collect_entropy
    By bvanniekerk in forum SmartDashboard
    Replies: 8
    Last Post: 2006-04-04, 10:58
  5. VPN wrong/weird way of use?
    By massimiliano in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2006-02-24, 06:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •