Support Center > Search Results > SecureKnowledge Details
Remote Access VPN clients and Endpoint services fail after January 1st, 2021 Technical Level
Solution

Important: Do not uninstall or upgrade your client before applying the patch below!

Introduction

In August 2019, Check Point released version E81.20 to address the use limitation of older versions of Check Point’s Endpoint, VPN, and SandBlast Agents (sk158912). These out of support versions will cease to operate starting January 1st, 2021. Starting that date, following a reboot of the computer, Remote Access VPN and Endpoint Security Client versions E81.10 (inclusive) and lower may stop functioning, and the upgrade will fail.

Visit our dedicated portal created to provide a quick and clear explanation and mitigation for this issue:  Patch Client VPN/Endpoint versions E81.10 or earlier to ensure productivity.

Information about the affected products and versions:

What products and configurations are affected?

  • Endpoint Security VPN
  • Endpoint Security VPN for ATM 
  • Endpoint Security Client
  • SandBlast Agent

Which Product Versions are affected?

SandBlast Agent:
E80.61 - E81.10

Endpoint Security Client, Endpoint Security VPN and Endpoint Security VPN for ATM:
E80.81 - E81.10

Note - All custom builds for a specific version are included. (Client Hotfix)

Not affected: SecuRemote, Check Point Mobile, and Mobile Access / SNX.

What OS Versions are affected?
Windows 7 and above, Windows Server 2008 R2 and above

Not affected: macOS, Windows XP


VPN connectivity scenarios when PC booted after Jan 1st:

Show / Hide flowchart

Resolving the issue

Check Point issued a small (2MB) and quick-to-install Patch for this issue. 
It replaces an existing .SYS file, delivering a fix that is already proved to be safe, and is used by customers widely.
The Patch has no impact on clients the are not listed in the affected version list.

Most users do not reboot their PC frequently thus their VPN connectivity still works until they reboot.
Central deployment is the preferred procedure to keep distributing the patch to the end-users that are still connected.
This solution will fix the issue for the end-users in most organizations.

For users with VPN connectivity - distribute the patch through a Central Deployment tool

  • Use an aggressive update timing to supply the patch as quickly as possible.
  • Use Central Deployment tools such as - Compliance blade (sk171279), GPO (sk171338), SCCM.
    • Verify that the GlobalSign root certificate is installed on your affected devices. For more information see sk171399.

For users with no VPN connectivity

  • Send your employees instructions that describe how to download and install this patch - EPPatcher_for_users.
    • Limited to Windows 7, 8.1 and 10, and to these versions: E80.81 - E81.10.
      • Installing the patch on versions E80.81 or E80.82 requires end-users to have administration privileges.
    • Important: If you use Endpoint Security Client or SandBlast Agent, provide the end-user with the uninstall password as well, as it is necessary for the patch installation process. The uninstall password is not required for Endpoint Security VPN users.

  • If only a low number of users lost VPN connectivity – Use a tool such as Zoom to conduct a remote session to their PC and install the patch. 
  • If the above tools are not applicable for your scenario, use one of the additional mitigation tools described in the table below.

Important:
  • We recommend upgrading to the latest recommended version (E84.00) after the patch completes the installation. For VPN users who plan to upgrade to E84.20 or E84.30 an additional fix is needed. Contact Check Point support to get the fix.

Other mitigation tools:


Tool name When to use What it does Coverage and Limitations

VPN Recovery tool
(sk171342)
If the EPPatcher_for_users fix does not fit your scenario, use this option. If VPN connectivity is lost, you can regain it by using the Capsule VPN plugin for Windows 10.

Capsule VPN plugin for Windows 10 reuses your existing client configuration.

Use it to get temporarily VPN access required to centrally deploy the patch. 
Windows 10

E81.10, E81, E80.97, E80.96, E80.95, E80.94, E80.92, E80.90, E80.89, E80.88, E80.87, E80.86, E80.85, E80.84, E80.83, E80.82, E80.81 

How do you check product versions?


For Endpoint Security VPN and Endpoint Security VPN for ATM

Show / Hide this Section 
  • From Central Management: SmartLog –> query for
    action:"Log In" AND ("Endpoint Security") AND (E80.81 or E80.82 or E80.83 or E80.84 or E80.85 or E80.86 or E80.87 or E80.88 or E80.89 or E80.90 or E80.92 or E80.94 or E80.95 or E80.96 or E80.97 or E81.00 or E81.10)
      


  • From Client-side: right click on the client icon -> help -> about



For Endpoint Security Client and SandBlast Agent

Show / Hide this Section

  • From Central Management: Smart Endpoint -> Reporting -> Software Deployments -> Versions in Use -> Endpoint Security Client Versions  – “EP Client Version” column
  • From Client side: right click on client icon UI -> Display Overview

More Options

Show / Hide this Section 
  1. To find all E8x.xx clients with the 01.01.2021 bug, execute the following command on the Management Server:

    fw log -n -p |grep "Endpoint Security VPN" | awk -F";" '{print $7 ,$9}' | grep client_version |sort | uniq

  2. Use the following template : Download template


FAQ

Click Here to Show the Entire FAQ
  • What is the problem with the VPN Client?
    The issue occurs because of the internal certificate used by VPN/Endpoint services. One of the certificates expires on January 1st, 2021. Therefore after this date, all services that use this certificate stops working. The fix is in the driver library: epklib. The library fixes an issue with regards to the certificate's expiration validation.
  • How is an organization affected if the upgrade/patch to their client is not applied?
    Clients that run with the unpatched version stops working starting January 1st, 2021:
    SandBlast Agent - versions E81.10, E81, E80.97, E80.96, E80.95, E80.94, E80.92, E80.90, E80.89, E80.88, E80.87, E80.86, E80.85, E80.84, E80.83, E80.82, E80.81, E80.80, E80.72, E80.71, E80.70, E80.65, E80.64, E80.62, E80.61:
    1. Anti-Bot, Forensics - Stop functioning (only if a reboot occurred)

    Endpoint Security Client /SandBlast Agent - versions E80.81-E81.10:
    1. Software deployment rules, upgrade, uninstall stops functioning (only if a reboot occurred)
    2. Anti-Bot, Forensics - Functionality stops (only if a reboot occurred)
    3. Firewall and VPN - Functionality stops (only if a reboot occurred)

    Endpoint Security VPN, Endpoint Security VPN for ATM - versions E80.81 - E81.10:
    1. Firewall + VPN – Functionality stops (only if a reboot occurred)

  • Is this only a VPN issue? Or does it affect other endpoint blades (for example - FDE)?
    This issue impacts different Endpoint blades such as VPN, Firewall, Anti-Bot, Forensics, and Threat-Emulation.
    The issue indirectly affects the administrator's ability to upgrade the clients that use software deployment rules. For example - FDE continues to work correctly but, if an organization uses VPN for connectivity, updates to the client fail. 
  • Why Now?
    The issue has been fixed on August 2019 and is a part of E81.20. We have recently identified customers that need to upgrade to the recommended versions and continue to use one of the deprecated and/or not supported versions. At this time we are proactively approaching the applicable customers, ensuring they implement the patch on the current version and/or upgrade to a higher version.
  • What is the patch doing? Is it safe?
    The patch replaces a file on the local computer, fixing the date expiration verification of the certificate.
    It is safe to run and is already a part of E81.20. Customers use it for the last 1.5 years on millions of computers.
  • What happens when applying the patch to an un-affected client?
    It’s OK to run the patch on a non-affected version – nothing will happen
  • What are the required privileges to install the fix?
    If deployed through software distribution tools or Check Point's Compliance blade before January 1st, 2021, administrator privileges are not required. If not, administrator privileges are necessary to install the fix.
  • How to run the patch as administrator?
    1. Open CMD as admin
      1. Start -> write 'cmd' -> right-click on 'command prompt' -> select 'Run as administrator'

    2. Navigate to the patch location
      Example: If the patch is located under ‘downloads’:
      cd %USERPROFILE%\Downloads

    3. Execute the following command:
      1. Endpoint Security / Sandblast Agent:
        msiexec /i EPPatch.msi UNINST_PASSWORD=<client_uninstall_password>
      2. Endpoint Security VPN:
        msiexec /i EPPatch.msi
  • A customer fix I recently got from TAC is already installed on my client's computer. Can I use the same patch?
    Yes.
    The fix is particular and small. It operates with any CFG or custom fix already installed.
  • How to determine if the patch is installed?
    There are several recommended options:
    • Look at the patch logs for success/failure messages when using the EPPatch.msi – For more information, follow sk171275.
    • Look for the file version of the epklib.sys itself (C:\windows\system32\drivers\) and validate that the version is the same as or higher than 8.60.5.7253
    • To use Check Point's Compliance blade to examine the outdated driver that needs replacement (by checking the version) – follow sk171279.

Appendix

General information:
  • VPN connectivity and Security are affected starting the first time the computer reboots after January 1st, 2021.
Deployment options:
  • To fix the issue and to validate you have a safe or patched version using Compliance - Refer to sk171279.
  • To auto-upgrade your Endpoint Security VPN Client to a newer version, refer to Remote Access Clients for Windows Administration Guide E80.72 and Higher, page 29 “Automatic Upgrade from the Gateway”.
    • The patch must be applied before upgrading the VPN Clients using the above method.
    • If Mobile Access is enabled, refer to sk133572.
Troubleshooting:

Error / Symptom Solution
"Error 1401. Could not create key \SOFTWARE\CheckPoint\Endpoint Security\Secure Uninstall" sk171297
"Error 27562/27557. Changing configuration of Check Point Endpoint Security is not allowed" sk127812

Failed to install the patch.

The following error is displayed in C:\Windows\Internet Logs\EP_CDTDll.log:

"Disabling self protection
Failed turning off self protection".

  • sk171399 - Cause: Missing Root CA certificate.
  • sk171418 - Cause: Unsupported characters are used  for the uninstall password. Allowed characters: a-z A-Z 0-9 , ~ = + - _ () ' $ . @
  • For a patch that can automatically address the above 2 issues, contact Check Point support.
Error "Failed to load Virtual Network Adapter" or "connectivity with the VPN service is lost." shows after the patch deployment sk171416
When installing the patch, users receive the error “The Installer has insufficient privileges to modify this file C:\WINDOWS\SysWOW64\vsdata.dll ” To resolve the issue simply install the patch first and only then upgrade your client.

Patch history:
  • It is recommended to use the EPPatcher_for_users that includes and acts as a replacement for both the admin and non-admin fixes.
    • Older versions of that patch can be found here:
      End-users have Administrator privileges on their PC –  EPPatcher_for_admin tool.
      End-users do not have Administrator privileges –  EPPatcher_for_non_admin tool.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment