Thread: Cannot connect to SmartCenter - tried everything
View Single Post
  #1 (permalink)  
Old 2008-04-29
huskercheese huskercheese is offline
Junior Member
  
Join Date: 2008-02-22
Posts: 3
Rep Power: 0
huskercheese has an average reputation (10+)
Default Cannot connect to SmartCenter - tried everything
Okay...I've tried everything I could find on the internet to connect to SmartCenter Dashboard,Tracker,Updater,etc, etc with no luck. Background:
This Smartcenter server has been upgraded from NG to R55 to R60. The enforcement points are Nokia IP350s running IPSO 3.8. Two are in a VRRP cluster and one is a stand alone. All three Nokia's are running the R55 package and being managed from an R60 SmartCenter.

The original problem was upon logon the connection is refused due to the clocks not being setup properly, not matching, certificate invalid or expired message.

If I set the clock back a week on the SmartCenter server I could log in fine. Once logged in if I tested the SIC communication I would get an SSL error referencing an expired SSL certificate on peer on all three of my enforcement points.

I've done the cpstop/cpstart on the Management server at least 20 times. I've done cpstop/cpstart on the passive node of the cluster a dozen times. I've attempted to reset the SIC on the same passive node and in the Dashboard through the passive enforcement point properties.

The SIC reset on the enforcement module has brought the firewall down. Its unable to fetch the firewall policy from the active node or from the management module. Can only reach it via ping when cpstop is ran.

Then today I decided to revoke the SmartCenter certificate (cpca_client revoke_cert/create_cert). That wouldn't work at first. I was getting the following error when trying to create:


cpca_client create_cert -n "cn=cp_mgmt" -f "$cpdir/conf/sic_cert.p12"
Error. rc=-1 err=-91 There is already a certificate with the specified details

After revoking and attempting the recreate I am no longer able to log in to the dashboard if I set the clock back on the management server. I now get "the connection cannot be initiated... make sure <server> is up and running and you are defined as a GUI client"

Looking at the registry HKLM\SOFTWARE\CheckPoint\SIC I noticed the CertPath was different than $CPDIR. The registry references "C:\Program Files\CheckPoint\CPShared\NG\conf\sic_cert.p12" while cpdir variable is set to "C:\Program Files\CheckPoint\CPShared\r60". So I modifed the CertPath key (after exporting it) to match what the cpdir variable. I was able to revoke and recreate a certificate referencing sic_cert.p12 in the r60\conf folder. I changed the key back to its original value, did a cpstop/cpstart and was able to revoke and recreate the certificate succesfully. However, I am still unable to log into any SmartCenter application.

I'm dead and drifting here. Please help!!
Reply With Quote