Support Center > Search Results > SecureKnowledge Details
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client that tries to connect to a Cluster.
Symptoms
  • Connection from SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client to the VPN Cluster in High Availability mode fails with the error:
    You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode. Contact your administrator.

  • Restarting Check Point services ("cpstop;cpstart", reboot) on the Active cluster member resolves the issue until a fail-over occurs from the current Active cluster member to the Standby cluster member.

  • Debug of VPND daemon (per sk89940) on the Active cluster member shows that the number of "snx_users" is negative:
    available_om_licenses: number of connected users: om_users XX, snx_users -YY, l2tp_users 0

  • when a connection to the active member succeeds, kernel debug ('fw ctl debug -m VPN + warn') on the Standby cluster member shows:
    ;sslt_om_ip_params_post_sync: ERROR: Wrong # of vals XX;

  • All licenses are valid and attached correctly to the Cluster Members.

Cause

Each time a Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) connects in SSL mode to a Cluster, its connection is synchronized to the Standby cluster member, but the counter of SSL users is not increased on the the Standby cluster member. However, when an SSL user disconnects, the counter of SSL users on the Standby cluster member is decreased.
Eventually, this leads to a wrong (negative) license count on the the Standby cluster member.
The issue becomes apparent after a failover from the current Active cluster member (that held the correct number of SSL users) to the Standby cluster member (on which the number of SSL users was not updated correctly).


Solution
Note: To view this solution you need to Sign In .