VPN Troubleshooting

This document is merely a compilation of two things. The first section is a copy of the Word document that was
created by Jason Ni of the Security Engineering Team. The second part is a simplified troubleshooting strategy
that should eliminate many issues.

4 Troubleshooting
The following are some commonly encountered problems with VPN SecuRemote. Most problems can be
solved by understanding the port and protocol requirements used by SecuRemote and making sure that the ports
and protocols can be passed between the SecuRemote PC and the GXS VPN gateway.
The following ports and protocols need to be open between the SecuRemote PC and the GXS NG VPN gateway
(204.90.187.149):
If the PC has an Internet routable IP address (No NAT or Proxy):

TCP Port 264 (Outbound only)

TCP and UDP Port 500 (Bi-Directional)
ESP (or Protocol 50) (Bi-Directional)

Site Download and Update

IKE User Authentication
IPSec ESP VPN Tunnel

If the PC does NOT an Internet routable IP address (PC is behind a NAT or Proxy device):

TCP Port 264 (Outbound only)

TCP and UDP Port 500 (Bi-Directional)
UDP Port 2746 (Bi-Directional)

1.1

Site Download and Update

IKE User Authentication
IPSec UDP encapsulation

Can Not Create VPN Site

In order to create the new VPN site, your SecuRemote PC must be able to connect to TCP Port 264, and
TCP/UDP Port 500 on the GXS VPN gateway (204.90.187.149).
The most common cause of not being able to create VPN site is that your local Firewall or Router blocks access
to GXS VPN gateway on TCP Port 264 and TCP/UDP Port 500. You should consult with your Firewall or
Router Administrators if you encounter this problem.
VPN authentication (IKE) traffic, by default, uses UDP protocol. Some routers cannot handle UDP with NAT
(Network Address Translation) very well. Turn on Support IKE over TCP on SecuRemote can usually get
around this problem. Proceed with the following simple steps to turn on Support IKE over TCP:
a. Bring up the VPN-1 SecuRemote window
b. On the menu bar, click on Tools Advanced IKE Settings

c. Check Support IKE over TCP as showed below and click OK

d. On the menu bar, click on File Stop VPN-1 SecuRemote to stop the VPN client. The VPN
SecuRemote icon will no longer show in Windows your system tray.

e. Click on Start Programs Checkpoint VPN-1 SecuRemote SecuRemote to restart SecuRemote.

You should now see the SecuRemote envelope icon in the Windows system tray.
f. Try to create the VPN site, using IP address 204.90.187.149.

1.2

Can Download VPN Site But Cannot Pass Application Data

This problem indicates that Bi-directional access (between your SecuRemote PC and GXS VPN gateway) on
the following ports and protocols is blocked on your Firewall or Router:

ESP (IP Protocol 50) - No NAT

UDP 2746 - If you are using NAT

You should consult with your Firewall or Router Administrators if you encounter this problem.

1.3

MTU Size Problem

We have found that some Internet Service Providers (and sometimes certain routers) have difficulty handling
large size packets that are close to the standard Ethernet MTU size limit (1500). When this problem occurs, you
may not be able to create the VPN site, VPN tunnel may not be able to pass data or you could encounter major
performance problem. In most cases, reducing the MTU size limit on the SecuRemote PC should resolve the
problem. To change MTU size limit on the PC, proceed with the following:
a.
b.
c.
d.
e.

Close all running applications

Click on 'Start' button on the lower left corner of your computer screen
Select 'Run'
Enter 'C:\Program Files\CheckPoint\SecuRemote\bin\MtuAdjust.exe' (without the quotes) into the box
You will be prompted whether you would like to make MTU change, click 'Yes' to continue.

f. Check the options EXACTLY as showed below, and change the MTU value to 1428.

g. Click OK to continue
h. Click Yes to reboot your PC. You MUST reboot your PC in order for the changes to take effect.

Try your VPN connection again when the PC or laptop comes back from reboot.
Part II
Troubleshooting Information:
SecuRemote General Concept of Use:
SecuRemote loads at machine boot time. If the envelope icon is not in the system tray then it isnt running.
After boot if the client attempts to either ftp from a program or use Desktop EDI the IP address will hit the
Ethernet card where SecuRemote is monitoring. If SecuRemote has a Global eXchange Services VPN Site
defined then it will prompt for authentication. After authentication the tunnel is build and the client now has a
secure link into the network. This authentication is good for a period of time which is defined on the vpn
gateway site. Otherwise if the machine is rebooted, program closed, or network card renewed it will require
authentication again. The software is designed to be used for communication where a user can put in the
credentials. Users wanting 24x7 unattended ftp do not want this option but should pursue the VPN Gateway to
Gateway option.
General Troubleshooting:
Installing and setting up site for first time. Refer to document from Jason Ni.
Notes: MTU utility will not work on Windows NT or Windows 98 third party utility would need to be
used.
Note: Software should not be installed on users on Novell network as NG client will interfere with the
Novell client.
Note: Use IP address first when troubleshooting as DNS may try and resolve to companies local servers
and confuse the troubleshooting process.
Troubleshooting Steps:
1.Does the client have a site within the software?
2.Right click on SecuRemote, select Stop VPN-1 SecuRemote, go under Start>Programs>Check Point VPN-1
SecuRemote>SecuRemote
3.From a command prompt, preferably c:\> Have the client type ftp x.x.x.x (IP host destination), this should
cause the SecuRemote software to prompt for authentication.
-If the request for authentication does not occur have the client go into SecuRemote/Tools/Rebind
Adapters. This will require a reboot.
-If the request for authentication does not occur after reboot then either the client then they have some
type of proxy or firewall client on the machine that is intercepting the packet before it hits the card so
that the SecuRemote software never sees it. The will need to either disable/remove/configure it the
offending software.

Note: VPN software will not work through a proxy as it break the security of the packet.
-If the request for authentication occurs make sure the client receives the successfully authenticated
message:
Error with credentials then the UserID/Password is incorrect or in wrong CASE
Error communicating with site then either UDP/TCP port 500 is not open bidirectionally
or client router/switch cannot handle UDP port 500 and the Tools/Advanced IKE Settings
option Support IKE over TCP should be used.
-Client receives successful authentication but ftp welcome message not received.

Have user attempt ftp x.x.x.x again as it may have timed out while the client entered the
credentials. Keys must be exchange first before packet can be put through the tunnel.
Client does not receive ftp welcome message then UDP port 2756 is not open bidirectionally.
This option can be forced by going into SecuRemote/Tools/Advances IKE Settings/Force
UDP Encapsulation, however the client should automatically use this option, but this would
guarantee it.

4.Client can logon but having trouble sending/receiving larger packets, usually occurs on DSL connections.
Cleint will have to adjust the MTU using the MTUadjust.exe program as mentioned in the above
documentation.
Basic Comments:
Most issues are related to either client have a proxy on their machine, incorrect ports opened on their Firewall or
multiple cards on the pc. In the case of multiple cards on the pc they will need to unbind the FW-1 Adapter
from the cards that it should not be bound too. This applies to 2000 and XP users as it is easier to do on these
two versions of the Windows OS.
For more advanced troubleshooting you will need to go to your VPN Engineering group and request access to
the management logs or escalate to them directly.