Hello Guys,
We are having an issue with Mobile Access, where user gets error message (Connection failed You cannot receive an Office Mode IP address because the Security Gateway does not have a license for Office Mode)
The problem started after switching the gateway to threat prevention, it was displayed that IPS trial license is active then we noticed under Mobile Access in the license overview it’s no longer 0/50 users but 0/5.
If I log out of the VPN, my colleague can log in, But if I try to log in again I get the error message.
It looks like the license is being overridden by the trial one (5 users) or something, I can see both in the output of cplic print as below:
#cplic print
Host Expiration Features
trial 20May2023 PNP_BLADE_IPS:V1:trial CPSB-IPS
10.*.*.* never CPAP-SG510X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-SSLVPN-50 CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-00-1C-7F-87-28-99
10.*.*.* never CPAP-SG510X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-SSLVPN-50 CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-00-1C-7F-87-28-99
10.*.*.* never cpvp-snx-25-ngx cpvp-snx-25-ngx cpsb-swb cpvp-snx-5-ngx cpsb-swb cpsb-adnc-m CK-00-1C-7F-87-28-99
Do we have to delete the trial license or what’s recommended in this case?
I noticed at the user center that the product SKU is CPSB-MOB-50, does this mean that CPSB-SSLVPN-50 is not the correct one?
[Expert@mon_vpn_gateway:0]# cvpnd_admin license all
MOB License:
Total used licenses are: 0
MOBMAIL License:
Total used licenses are: 0
[Expert@mon_vpn_gateway:0]#
We are running R80.40 JHF 180
Thanks in advance,
Have you pushed the policy after installing the license?What you’re seeing: CPSB-SSLVPN is correct, its under the CPSB-MOB licensing schemehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84560&t=1535760000030#:~:text=M%E2%80%A6
Seeing both 50 and 5 is also normal; that’s what I am seeing as well in our deployment; the default 5 is present.
Try running the one-liner from this Checkmates post. It gives a much better handle on what the gateway thinks its licenses are. its much better than the output of cvpnd_admin license all, as the cpvpnd command is only showing you what have been assigned out.
This is an example of the output from it:
REMOTE ACCESS VPN STATS - Current
Assigned OfficeMode IPs : 0 (Peak: 0)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 1 (Peak: 2)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)
LICENSES
SecuRemote Users : 0
Endpoint Connect Users : 0
Mobile Access Users : 205
SNX Users :
This comes from a gateway with a 5 default and a 200:
XX.XX.XX.XX never CPAP-SG640X CPSB-FW CPSG-C-2-U CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200 CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CPSB-CTNT CK-00-00-00-00-00-00
Yea, I was also wondering if I should delete any of these licenses above as duplicate?
I can’t relay say since I cannot see your whole cplic print -x output, but please check for duplicates; it could be that "duplicate’ is an old/expired contract not yet deleted in your system
Do check in SmartConsole->Upper right hamburger menu->Manage License and packages page
The 2nd and 3rd looks duplicates to me, can this be the problem?
Check the dates of those licenses, and if any contracts inside them (double-click)