CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: VPN Problem 10% of User

  1. #1
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    19
    Rep Power
    0

    Default VPN Problem 10% of User

    Hello all,

    today i had a strange problem. I have about 140 Remote User Tunnel running in a HA Cluster of Checkpoint 4800 in Cluster XL. About 10 % of the users had problems to login remote.
    The tunnel was established but there was not traffic send. Later came the message tunnel was disconnected. On the monitor dashboard i could not found the users connecting to the checkpoint.
    Finaly i shiftet the cluster with clusterXL_admin down. After the shift the problem was gone. The cluster now was running about 1 years without problems. Is it a good idea to reload the cluster
    in a regular maintenance window maybe every 3 months ?

    Best regards
    Marco

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,193
    Rep Power
    13

    Default Re: VPN Problem 10% of User

    Quote Originally Posted by marco_d View Post
    Hello all,

    today i had a strange problem. I have about 140 Remote User Tunnel running in a HA Cluster of Checkpoint 4800 in Cluster XL. About 10 % of the users had problems to login remote.
    The tunnel was established but there was not traffic send. Later came the message tunnel was disconnected. On the monitor dashboard i could not found the users connecting to the checkpoint.
    Finaly i shiftet the cluster with clusterXL_admin down. After the shift the problem was gone. The cluster now was running about 1 years without problems. Is it a good idea to reload the cluster
    in a regular maintenance window maybe every 3 months ?

    Best regards
    Marco
    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource limitation. On the member with the problem, was there anything interesting logged into $FWDIR/log/vpnd.elg or $CVPNDIR/log/cvpnd.elg around the time of the issue?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    19
    Rep Power
    0

    Default Re: VPN Problem 10% of User

    Quote Originally Posted by ShadowPeak.com View Post
    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource limitation. On the member with the problem, was there anything interesting logged into $FWDIR/log/vpnd.elg or $CVPNDIR/log/cvpnd.elg around the time of the issue?
    Thanj you for you answer. So the manual failover was on 06 jul at 11:16 I copied the loggings is found. After i did the failover i made a cpstop/cpstart and the cluster memeber that had the problem.

    I saw also that we missed some updates. I think the last is from 2016. For this i opened a ticket at checkpoint cause i also have the message that my licence is not entitled to reveive updates.


    $FWDIR/log/vpnd.elg

    [ 9885][29 Jun 13:29:25][] Unable to open '/dev/fw6v0': No such file or directory
    [ 9885][29 Jun 13:29:25][] Unable to open '/dev/fw6v0': No such file or directory
    [ 9885][29 Jun 13:29:25][] Unable to open '/dev/fw6v0': No such file or directory
    [ 9885][29 Jun 13:29:25][] Unable to open '/dev/fw6v0': No such file or directory
    [ 9885][29 Jun 13:29:25][] Unable to open '/dev/fw6v0': No such file or directory
    [ 9885][29 Jun 13:57:06][] SvcSk_close: refraining from closing socket -1
    [ 9885][6 Jul 11:16:30][] fwd child 9885 exiting

    [ 9885][6 Jul 11:16:30][] atexit_handler called
    [vpnd 16256 1971254976]@CP02[6 Jul 11:17:26] vpnd: Fri Jul 6 11:17:26 2018

    [vpnd 16256 1971254976]@CP02[6 Jul 11:17:26] ------------ VPND Starting: Fri Jul 6 11:17:26 2018

    [ 16256][6 Jul 11:17:26][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 524288
    [ 16256][6 Jul 11:17:26][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 524288
    [ 16256][6 Jul 11:23:06][] SvcSk_close: refraining from closing socket -1
    [ 16256][9 Jul 10:11:29][] Unable to open '/dev/fw6v0': No such file or directory



    ################################################## ###############
    ################################################## ###############



    $CVPNDIR/log/cvpnd.elg

    [10 Mar 11:32:41][] CPLogGetMyIp: fwobj_get_myown failed
    [10 Mar 11:32:41][] Failed to initialize ldap configuration
    [10 Mar 11:32:41][] Exception: Could not get data for realm: 'ssl_vpn' - CVPND aborting
    [10 Mar 11:33:41][] CPLogGetMyIp: fwobj_get_myown failed
    [10 Mar 11:33:41][] Failed to initialize ldap configuration
    [10 Mar 11:33:42][] Exception: Could not get data for realm: 'ssl_vpn' - CVPND aborting
    [10 Mar 11:46:23][] CPLogGetMyIp: fwobj_get_myown failed
    [10 Mar 11:46:23][] Failed to initialize ldap configuration
    [10 Mar 11:46:23][] Exception: Could not get data for realm: 'ssl_vpn' - CVPND aborting



    Thanks and regards
    Marco

  4. #4
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: VPN Problem 10% of User

    Quote Originally Posted by ShadowPeak.com View Post
    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource limitation. On the member with the problem, was there anything interesting logged into $FWDIR/log/vpnd.elg or $CVPNDIR/log/cvpnd.elg around the time of the issue?
    I disagree with that statement. Unfortunately, we are living in a real world and software, especially Checkpoint Software, is written by human and it has a lot flaws. Checkpoint seems to have more flaws than other vendors.

    You should schedule a FW reboot at least every 4 months to prevent issue like this.

    My 2c

  5. #5
    Join Date
    2006-06-07
    Posts
    7
    Rep Power
    0

    Default Re: VPN Problem 10% of User

    Quote Originally Posted by cciesec2006 View Post
    I disagree with that statement. Unfortunately, we are living in a real world and software, especially Checkpoint Software, is written by human and it has a lot flaws. Checkpoint seems to have more flaws than other vendors.

    You should schedule a FW reboot at least every 4 months to prevent issue like this.

    My 2c
    Certainly that would agree with what get quite a bit from TAC advising to reboot semi-regularly. Depending upon how often deploy the GA Jumbo Hotfixes then likely to be getting reboots on a semi-regular basis from patching.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: VPN Problem 10% of User

    Quote Originally Posted by cciesec2006 View Post
    I disagree with that statement. Unfortunately, we are living in a real world and software, especially Checkpoint Software, is written by human and it has a lot flaws. Checkpoint seems to have more flaws than other vendors.

    You should schedule a FW reboot at least every 4 months to prevent issue like this.

    My 2c
    I disagree.
    Code:
    [Expert@MyFW01:0]# uptime
     12:47:59 up 972 days,  6:38,  1 user,  load average: 0.00, 0.01, 0.00
    That's the active member of one of my clusters (name changed, of course). It's still running R67 (long, stupid story), and has been one of the most stable pieces of my infrastructure. It terminates VPNs on an Internet connection.

    On my more current systems, I'm currently working to establish a routine patch cadence. That will involve a regular reboot, at least until Check Point works out how to kill -HUP processes in their install script.



    Back on topic, I would enable IKE debugging on all firewalls which terminate VPNs as a standard operating procedure. It logs very little data per negotiation, but the data it logs is extremely high-value for troubleshooting. If the problem recurs, collect a packet capture, vpnd debug, and drop debug. It's essentially impossible to troubleshoot most issues retrospectively, as relevant information isn't logged by default.
    Zimmie

Similar Threads

  1. VPN Certificate for user - enrollment email problem
    By mrbob in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2012-12-20, 11:12
  2. Replies: 0
    Last Post: 2009-05-15, 11:01
  3. Administrator user , rights problem
    By vbavbalist in forum Windows
    Replies: 2
    Last Post: 2008-09-03, 08:29
  4. user auth problem
    By isrmail69 in forum Authentication
    Replies: 1
    Last Post: 2007-11-14, 17:57
  5. Odd ball User authentication problem
    By rsplash40 in forum Authentication
    Replies: 2
    Last Post: 2006-08-29, 09:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •