Checkpoint SecureClient fails after upgrade to 10.6.5 or 10.6.6

Posted on 07 December 2010

After upgrading to 10.6.5 and now also 10.6.6 many users had issues with DNS/network. This issue is causing timeouts in browser or at least long delays. See this thread.

But thankfully user KJK555 found a good workaround. It replaces concerned files of the new mDNSResponder with older 10.6.4 files.

Just install this package and reboot.


38 responses to Checkpoint SecureClient fails after upgrade to 10.6.5 or 10.6.6

  • ShaneOG says:

    Seems like the just released 10.6.7 has the same issue :(

  • Burley Higgins says:

    I just bought the new MacBook Pro with OS X 10.6.6
    Kernel Version 10.7.1
    I have tried all of the suggestions posted, and to no avail. Cannot get passed the Secure Client services are down. Please reboot… popup. I have an imac with OS X 10.6.5 Kernel Version 10.5.0 and that works fine with secure client. Any help would be greatly appreciated. Has anyone else had similar issues?

    • Harald Haentsch says:

      It seems that the very new macbooks run in 64bit boot mode by default. Checkpoint SecureClient can only run in a 32bit environment. You can only fix it by booting in 32bit mode by holding the “3” and the “2” key pressed during startup.

    • Alain says:

      I have the same problem where I uninstalled SecureClient from my old PowerBook Pro and then migrated my user settings and Applications to my new MacBook Pro (Sandy Bridge running 10.6.6).

      On my new laptop I went to Java Preferences and moved the 32 bit settings (X2) upward to have them instead of the 64 bit ones.

      I did a clean install of SecureClient for 10.6 and now I am now getting the message saying “Secure CLient services are down. Please reboot your machine to start them”. I ran the above package and it did not solve the problem. Still getting this error message.

      Interestingly I was able to reinstall SecureClient on my old MacBook Pro (also running 10.6.6) with no problems.

      It seems that the new MacBook Pro is not able to install the SecureClient software properly.

      I am hoping this will help someone more savvy than me figure this one out. Thanks for any help you may offer.

      • Harald Haentsch says:

        The very new macbooks run in 64bit boot mode by default. Checkpoint SecureClient can only run in a 32bit environment. You can only fix it by booting in 32bit mode by holding the “3” and the “2” key pressed during startup.

        • Alain says:

          Thanks for the information. I guess that I failed to realize that I need to hold the 3 and 2 key every time I restart my computer if I want it to run SecureClient properly and showing its icon in the top right of the menu bar.
          Changing the order of the Java Preferences so the 32 bits would be above 64 bits did not solve this problem.
          Anyway, thanks as I now have a solution to run SecureClient on my new computer, this until I find a better long term solution.

        • Alain says:

          You may be aware of this but there is a simple way not to have to hold the 3 and 2 keys each time you start your new computer so it will be in 32 bit mode and will run SecureClient with no problems.

          The problem is described in this article from Apple

          http://support.apple.com/kb/HT3770

          where is says “these Macs use the 64-bit kernel by default in Mac OS X v10.6. Mac Pro (Mid 2010), MacBook Pro (Early 2011)”.

          Where the solution is described in this one, also from Apple,

          http://support.apple.com/kb/HT3773

          where it tells you to type the following line in the terminal

          sudo systemsetup -setkernelbootarchitecture i386

          I hope this helps.

          Alain

  • christopher Moss says:

    A little research and I realised I could boot into a 32-bit kernel (hey, I’m not much of a geek!) by holding down the ‘3’ and the ‘2’ keys at startup. Terminal tells me, using uname -a, that I am 32 bit mode and Secure Client runs as advertised!

  • christopher Moss says:

    I’m also getting what might be a remissions problem. From Console:

    Mar 4 20:40:41 MBP1 com.apple.launchd.peruser.501[223] ([0x0-0x24024].SecureClient[364]): Exited with exit code: 255

  • christopher Moss says:

    I have had the workaround (edited installer) working on my last MBP and a 2010 MBA. Along comes the 2011 MBP and Secure Client wouldn’t start. Clean uninstall and several install attempts later it still won’t run – I get the “VPN-1 services are down, please reboot” message about two minutes after startup. Temporarily, I have IPSecuritas connecting me to one of my Checkpoint VPN connections, but it won’t work for the other. I see this new MBP boots into a 64 bit kernel. Could that be the problem, and if so does anyone have experience of the thrull.com System Mode Configurator pref pane as a way round it in these new machines?

  • Arshia says:

    Does anyone else have trouble getting the supposed new Snow Leopard client (Check_Point_SecureClient_R56_HFA_02_Mac_OSX.pkg.zip) working on a fresh install of 10.6.6?

    It was my understanding that version should work without hacking but I get the same error that required hex editing to make the original client work.

    Any thoughts or suggestions?

  • johannes says:

    the thing to do and it works with 10.6.6

    shut down SecureClient (right click on the “key” icon and select “Stop VPN-1 SecureClient”
    Open a terminal window on the Mac
    cd /opt/CPsrsc-50/database
    edit the userc.C file
    change the phase2_aes_key_size to 256
    save and exit the userc.C file
    restart SecureClient
    attempt to connect

  • Philip says:

    I am using VPN-1 Secure Client R56 HFA2 Build 008 on OSX 10.6.6. I have installed mdns_repair10.6.5.pkg. When I try to connect, VPN-1 shows the following error:

    Checking network connectivity…
    Preparing connection…
    Updating site…
    User philip authenticated by Radius authentication
    Connecting to gateway…
    IKE negotiation failed
    Connection failed

    Same VPN userid/password/securID works fine on my Windows PC. I have the VPN log file SC_logs_28_Jan_11_15_44_20.tgz if that will help.

    Thanks,
    Philip

    • johannes says:

      It work fine under 10.6.6 after you have done this small thing.

      shut down SecureClient (right click on the “key” icon and select “Stop VPN-1 SecureClient”
      Open a terminal window on the Mac
      cd /opt/CPsrsc-50/database
      edit the userc.C file
      change the phase2_aes_key_size to 256
      save and exit the userc.C file
      restart SecureClient
      attempt to connect

      • Philip says:

        Thanks for your response. I followed your steps, but I am still getting the same “IKE negotiation failed” error.

        • Philip says:

          Thanks for the help…Turns out Norton Antivirus was blocking some ports that VPN-1 SecureClient needs to connect to gateway.

          Once I turned off Norton Antivirus, VPN worked!

  • Tim says:

    Got it!
    When it doesnt work the first time you might need to change the MTU size setting under network settings.
    When i changed the size to 1450 it worked for me!

  • dgalvarado says:

    Buenas,

    Desde que actualic√© a la 10.6.6 me sale tambi√©n el error de “Failed to add site …”

    Y la casilla “Disable Security Policy” no se puede desactivar.

    Como tengamos que esperar a que los de checkpoint saquen un fix lo llevamos claro.

    Un saludo

  • Tim says:

    Yes i have de-installed secureclient and re-installed it again.
    I cannot connect to the gateway. It’s takes a long time to connect and then it says failed.
    I can see in the firewall log 2 green lines. But then it stops.

  • Tim says:

    My problem is after upgrading to 10.6.6 i cannot uncheck the “Disable Security Policy” option for checkpoint secure client.
    When i try to it says: ‘This operation is denied by current settings’
    Now i cannot connect.
    Before the upgrade it worked fine…

    • Harald Haentsch says:

      – Stop VPN-1 SecureClient
      – in finder you can choose Go/ Go To Folder: “/opt/CPsrsc-50/database”
      – open userc.C with your preferred TextEditor
      – change “:manual_slan_control (false)” to “:manual_slan_control (true)”
      – Start VPN-1 SecureClient

      • Tim says:

        Ain’t working…
        It’s already on true.
        When i set it to false the Disable option will grey out.
        But when i set it to true the problem still occurs.

        • Harald Haentsch says:

          Then it needs to be set on the Management/VPN Gateway.

          • Tim says:

            Nothing changed on the gateway since it worked..

          • Harald Haentsch says:

            Did you try to delete and recrete the site and successfully connecting to the VPN Gateway first time. The policy needs to be downloaded first before this option can be unchecked.

            Perhaps there is a problem to do so. Does connecting to the gateway take unusual long, the mDNSResponder seems to be still on newer version an not 10.6.4.

  • Allison says:

    current error message I get is: “Failed to apply assigned office mode IP data. Please see help for more information.”

    I get different error messages depending upon version of Firefox I try.

    Feels like I’m so close to a solution, but so far away!

    • Harald Haentsch says:

      Are you sure you trying to use the native VPN-1 Secure Client R56 HFA2.
      This client doesn’t depend on any browser and connection is made only by its Client and not through the browser as it is the case for SSL based VPN’s like SSL Extender.

      What is your local IP, could it be that it is interfering with the Office mode IP?

  • Allison says:

    A tech support engineer for Check Point directed me to this workaround, which I’ve installed and so far no luck. Is there a specific browser and version I should be trying? I never had luck with Safari but historically Firefox worked, the SSL Network Extender behaved as it should.

    I’m an “end user” so not terribly tech-savvy. If you recommend something, I can try it and tell you what error message I get.

  • Jan Poehland says:

    Doesn’t work for me either.
    I just upgraded to OS X 10.6.6 and SecureClient stopped working.
    I uninstalled and reinstalled the latest release if SecureClient and now I cannot even add sites. I did apply the mDNSResponder update as well but still no luck.
    Any attempt to add a site results in “Failed to add site xxx.xxx….”
    Any ideas?

    • Harald Haentsch says:

      That seems to be a different issue. he problem related to mDNSResponder in 10.6.5 and 10.6.6 causes not to have internet traffic at all after connected to the vpn gateway in office mode.

      Firewall?

  • Wim Lon says:

    Unfortunately, it does not work for me =(
    What can I do now?

  • Robert Bakker says:

    Thanks for the workaround.
    It works perfectly!!

  • Recent Posts

    Tag Cloud

    Checkpoint FAS 3020c Join Mac OS X Server NetApp OS X 10.6 R56 SecureClient Snow Leopard

    Meta

    Sysadmins World is proudly powered by WordPress and the SubtleFlux theme.

    Copyright © Sysadmins World