Question

Locked

Checkpoint VPN Vista problem

By neel04 ·
I have Vista Home Premium on my Laptop. I downloaded Checkpoint's NGX R60 HFA-02. I was able to enter the site address, enter my userid and password and choose a mode (I tried both modes). Then it tries to connect and after about five minutes, I get the following message:

Action Failed
Operation timed out.
This may have happened because your network connection is slow, or because of a communication problem.
Click Cancel and try later, or click Back if you want to retry now.

My internet connection seems fine. I was able to connect via Checkpoint with my other computer which has XP on it. I cannot use this computer as it's not working properly.

Is this a Vista Problem? If it is how do I solve this? Please help.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Solution (but with cost!)

by james.cameron In reply to Checkpoint VPN Vista prob ...

Just to let you know I was having the same problem and have upgraded from Home Premium to Ultimate today, and now I can connect fine to the site using Checkpoint's NGX R60 HFA-02.
Guess securemote is relying on some of the networking/domain capabilities that are missing on the vista home editions.

Collapse -

Vista Business doesn't seem to work either

by chris.brown In reply to Solution (but with cost!)

Downloaded NGX HFA02 to a pre-installed Vista Business on a new Sony laptop.

Installed OK (or seemed to), but timeout or failed to communicate after verifying site fingerprint.

Collapse -

Q for James C

by chris.brown In reply to Solution (but with cost!)

James,

Is the Vista Ultimate machine joined to a domain? If so, do domain policies disable or otherwise set any Windows Firewall policies that might have a bearing?

Thanks,

Chris

Collapse -

Vista

by simon.rayfield In reply to Checkpoint VPN Vista prob ...

I have the same problem with Timeout on certification using latest 02 version of VPN-1 on Vista. Did you resolve the issue ?

Collapse -

More info on failure

by chris.brown In reply to Checkpoint VPN Vista prob ...

I tried logging the Windows Firewall to ensure it wasn't blocking anything required for SR to connect. Here's what showed up in the logs (IP addresses changed):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50429 50428 0 - 0 0 0 - - - SEND
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50429 50428 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50431 50430 0 - 0 0 0 - - - SEND
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50431 50430 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50433 50432 0 - 0 0 0 - - - SEND
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50433 50432 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50435 50434 0 - 0 0 0 - - - SEND
2007-10-30 14:00:43 ALLOW TCP 127.0.0.1 127.0.0.1 50435 50434 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:00:45 ALLOW TCP 127.0.0.1 127.0.0.1 50437 50436 0 - 0 0 0 - - - SEND
2007-10-30 14:00:45 ALLOW TCP 127.0.0.1 127.0.0.1 50437 50436 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:00:45 ALLOW TCP 127.0.0.1 127.0.0.1 50439 50438 0 - 0 0 0 - - - SEND
2007-10-30 14:00:45 ALLOW TCP 127.0.0.1 127.0.0.1 50439 50438 0 - 0 0 0 - - - RECEIVE
2007-10-30 14:01:22 ALLOW TCP 1.1.1.1 2.2.2.2 50440 264 0 - 0 0 0 - - - SEND
2007-10-30 14:01:23 ALLOW UDP 1.1.1.1 2.2.2.2 49549 500 0 - - - - - - - SEND
2007-10-30 14:01:30 ALLOW TCP 1.1.1.1 2.2.2.2 50441 264 0 - 0 0 0 - - - SEND

Sysinternals TCPView also shows the TCP connection out to the gateway on port 264; there is one quick connection before you get the site fingerprint, then another one that just sits in ESTABLISHED state while SR GUI times out, then sometimes kicks around in ESTABLISHED state for a while after you click Cancel. I've also seen this connection drop quite quickly into TIME_WAIT state, on subsequent connection attempts without restarting SR.

So, Windows Firewall doesn't appear to be the culprit, nothing is logged as dropped that relates to SR.

A similar situation exists if scc is used to try to add a site.

Interestingly, Windows Firewall has had an exception for SR_Diagnostics.exe put in place, but the file does not exist in the referenced location.

Next move I think is to uninstall SR, disable UAC and firewall, log in as the Administrator (not Administrators group memeber) and re-install, and see if behaviour changes.

Collapse -

Still no joy

by chris.brown In reply to More info on failure

Installing SR as Administrator with firewall and UAC off didn't work.

My VPN-1 gatway logs confirm what's happening; SR connects on fw1-topo service briefly, there's a connect on IKE (UPD 500), the gateway sees my account login correctly (SecurID, so I know if's actually sending the details I key in over to the gateway), and one last accept on the fw1_topo service.

After that, SR just times out.

I tried opening a Command Prompt with administrator rights and using the batch files in the Program Files\CP\SR folder, hoping there was some part of the install that had failed, but nothing changes anything.

I wonder if the people with it working are on a domain, and this has some bearig somehow?

Collapse -

Yet more info

by chris.brown In reply to Still no joy

1. It connects to an NG R55 box on another site, so it's installed correctly. The gateway that deosn't work is NG FP3.

2. I ran a tcpdump on the FP3 gateway while trying to connect, and it looks like the fw_topo service is being hit quite a lot, then the client sends a push-flagged packet, to which the gateway responds with a reset (edited IPs):

20:24:23.821841 O 11.12.13.254.264 > 13.12.11.75.49476: . ack 287 win 16384
20:24:36.755075 I 13.12.11.75.49476 > 11.12.13.254.264: P 287:316(29) ack 6034 win 257
20:24:36.755197 O 11.12.13.254.264 > 13.12.11.75.49476: R 1127223387:1127223387(0) win 0

Collapse -

I've given up

by chris.brown In reply to Yet more info

I just don't think it will work with FP3 - the gateway is resetting the fw_topo service connection, and logging nothing. I tried matching settings (as far as possible) with the R55 gateway that worked, but that made no difference.

I'm uninstalling SR and sticking with my old XP laptop until I get chance to put in a different VPN solution.

Collapse -

Without trying - AN ANSWER!

by chris.brown In reply to I've given up

After giving up on securemote, I thought I'd at least use my Vista laptop on another site with a LAN-to-LAN VPN to my office.

Short story, Outlook 2007 would not synch my mailbox over the VPN, and had constant connection failures and timeouts.

I found some articles that suggested opening a Command Prompt with Administrator rights, and running the following command: netsh interface tcp set global autotuninglevel=disabled

Reboot, and Outlook now worked. Hmm, would this affect Securemote?

Of course it did! I now have SR getting site details, and connecting, and Outlook synching over the SR VPN.

Now to fix all my other software that fails under Vista...

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums