The problem was, once the site is created in the VPN client, it automatically downloads the topology information and stores it in the userc.C file in the SecuRemote/database directory. When we observed the firewall logs (using SmartView Tracker) we observed that the IKE connection was sent to one of the interfaces of our Check Point gateway, which should not be the case. Received notification: invalid id information" "Negotiation with gateway xxxx at site x.x.x.x has failed. When they use an ADSL connection or a HSPA connection they can connect to that particular gateway but when they try to establish the same connection through our perimeter Check Point gateway the connection fails stating, Some of the staff members want to establish Remote Access VPN connections with another Check Point gateway. Recently we encountered a strange SecureClient behaviour in some internal users. Anything else and you are subject to the pain I went through with failed logins for no obvious reason.Our company's head-office is running a Check Point UTM-1 firewall cluster at the perimeter. The best option here is to insure there are no ambiguous usernames and use the no display option.
However, if a DC for ANY domain is not available, the client waits and the 45 second window for establishing a VPN tunnel is exceeded. So if I have a JohnDoe in domain A and also one in domain B, SecureClient will supposedly pop a dialog box at the client to ask the user which one they are so it can match credentials. The option to display assumes that you have multiple domains and may therefore have multiple users with the same login name. The reason I experienced the timeouts was explained to me by R&D: As it turns out, this is a setting where the other available choices seem like a good idea if you have multiple AD Domains, it is not. In Global Properties -> SmartDirectory (LDAP) -> Display User's DN at Login, I changed the setting to "Don't Display". When they do, the fingerprint changes and authentication to that server fails because what CP has stored no longer matches.Ģ) The timeouts I experienced are caused by a setting in Global Properties. What happens is that the MS servers frequently self auto-renew those certs. This is per CP R&D in Israel as OK to do. You can fetch the fingerprint to verify connectivity, but then you should blank it out again.
Just thought I would follow up on this old post with 'what I know now and wish I knew then'.ġ) When using encrypted LDAP lookups (using SSL on TCP 636 vs unencrypted 445), leave the fingerprint of the Domain Controller BLANK. From the looks of that SK, I went the wrong way but it still doesn't make any sense to me why.Īnyone know more about how this functions and can possibly help me understand this better so I can fix it? During testing, I saw this issue a few times so I increased the timeout value. I did change the default time for LDAP timeouts on my gateways when I was setting this up and testing it. My AD servers were online the entire time and capable of taking LDAP queries. The issue has once again resolved itself without me changing a single thing. When I checked the logs, I found that error I've listed above in a lot of drop entries for every user during that time frame. However, last night, at 1 AM, with <1000 active connections (peak time average is 24k), I had users who couldn't connect. In general, it seems to work fine 99% of the time, even at peak usage during the middle of the day. I've had this happen several times since cutting over from internal user accounts + radius to SMDR at the beginning of the year and thought I had everything setup correctly for my ~1600 VPN users. The error message I'm getting is: "reason: Client Encryption: Could not obtain user object. Pretty much following the same procedure that is used by many of our forum users today: (Updated link to newer procedure)Ĭould somebody please help me out with a better explanation on this issue than the one in sk31345?
CHECK POINT VPN 1 SECUREMOTE TOPOLOGY REQUESTS INSTALL
SecureClient is licensed properly and I do pre-configured install packages for my users so they don't screw up the settings. Gateways set to custom search order priority based on site location and local topology Multiple sites with AD servers local at each site R60 HFA_04, R65 HFA_02 and R65 (2.6) gateways (All SPLAT w/new mode Active/Passive clusters)
0 kommentar(er)
