Thread: Desperate Plea - Server Management
View Single Post
  #6 (permalink)  
Old 2005-10-11
Youngy Youngy is offline
Member
  
Join Date: 2005-09-21
Posts: 83
Rep Power: 4
Youngy has an average reputation (10+)
Default Re: Desperate Pleee - Server Managemnet
Hi,

It is not actually a pdf but a page display like what you find on technet. There is an option on the page to email the solution so I have done that but I suspect you may still need to log in to the checkpoint site.

So here is what it says:

Symptoms

While trying to install a policy, an error message is received
Error:"add_ca_cert_hash: failed to get internal_ca object"
While trying to edit the Management Server properties an error message is received
Error: "Unable to contact Certificate Authority on the Management Station. Please make sure the Certificate Authority daemon is running."
While trying to recreate the ICA an error message is received
Error:" The generation of the Internal CA certificate failed. This node will not be able to perform certain VPN-1 operations that require this certificate.
Error when clicking on "Set Default IKE Properties" on the Management Server object's properties.
Error: "Default IKE was not completed successfully. The reason could be that a creation of a certificate was needed and was not successful."
When clicking Get Topology under the Topology tab of the Management Server properties, an error is received.
Error: "Trust has not been established. To complete this operation click Communities in the General tab". However "Communities" is grayed out.

Cause

This problem is caused by an incomplete uninstall of previous FireWall-1 versions which left some info-files on the machine. That caused "cpconfig" not to create a new ICA

Solution

Run the command "fwm sic_reset" and then recreate ICA.
Note that in NG FP1 the command should be "fw sic_reset". For more information, refer to the following solution

The following solution above is this:

Symptoms

Error when trying to initialize Certificate Authority :
Error: ""Failed to initialize the Certificate Authority because the system was unable to create a certificate for the certificate Authority. error number : -2. Try to initialize the Certificate Authority later again"

Solution

The fw sic_reset operation will reset Secure Internal Communication (SIC) on the Management Server. The internal Certificate Authority will be destroyed and Check Point Components will not be able to communicate.

The command syntax is:
fw sic_reset
At the prompt, press y' to confirm the Reset.

This operation will stop all Check Point Services (cpstop).

To enable communication, perform the following operations:
1. Re-initialize the internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart).
3. Reset SIC on each Module that is managed by this Management Server.
4. Re-establish Trust with each Station that is managed by this Management Server.

NOTE: In NG FP2, the syntax should be 'fwm sic_reset'.
To read more about how to resolve Internal CA problems in FireWall-1 NG FP2 please refer to the following solution.

If the above does not help run:
'cpca_create -d -dn "O=test"' to manually create the CA.

WARNING:
THIS OPERATION WILL CAUSE YOUR FIREWALL-1 NG ENVIRONMENT TO FAIL.
CONSIDER THE IMPLICATIONS VERY CAREFULLY BEFORE USING IT.

Hope that helps
Reply With Quote