Troubleshoot the Check Point integration
Troubleshoot the Check Point integration.
Topics
- No response to sslVPN url
- Unable to connect to web server in private network
- Cannot ssh
- User is unauthorized
- General troubleshooting
No response to sslVPN url
If the browser has no response to sslVPN url , it may be a network connection issue. In the gateway, use command: show route, ping, to see network connectivity information:
Unable to connect to web server in private network
If VPN connections are good, but you are unable to connect to the web server in the private network, check:
- Network routing for the web server
-
Ensure the VPN communities setting contains this private network.
Cannot ssh
If you have problems accessing the terminal via SSH, you can open it in the admin webpage. As shown below:
General troubleshooting
For general troubleshooting, navigate to SmartConsole > Logs&monitor.
Select one of the pre-defined queries such as Query > Access > Mobile Access > All.
User is unauthorized
If you get a User is unauthorized error message, check the policy and also verify the RADIUS group setting, and the group attribute.
In freeRADIUS you can use tcpdump to check if the group attribute number matches with Check Point ( default 25) .
If you are using windows OS, you can use Wireshark to capture packets.
For example:
$sudo tcpdump -i eth0 port 1812 or port 1813 or port 3799 -vv
……
Access-Accept…… Class Attribute (25)<------you will see here RADIUS returned the group using attribute number 25.
To check Check Point RADIUS group attribute values, open GuiDBedit, click Global Properties, firewall_properties, scroll down to radius_groups_attr. See below for an example: