extended vpn authentication failure

[ttpm123]

Our SC VPNs are all failing with the 2 errors; one is "Negotiation with gateway XYZ at site ABC.NYR has failed. Make sure the user is properly defined on the firewall. Connection canceled" others say there is a certificate error.

Our node license is unlimited and our SC license is up to 200 people. We are currently using about 139.

I've done a cprestart and rebooted the box - no effect, the problem persists. No changes were occurring on the box at the time of failure, the most recent config changes were yesterday when 5 new subnets were defined.

What command - line commands can I run to fix this ill-defined problem?

[ttpm123]

I'm not sure if this debug output helps:

[vpnd 891 1]@saintpeter[19 Jun 13:38:59] fwCert_FindCertListAndKey: Entering
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] Cert Reqeust got from peer:
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] type 4 DN: O=saintpeter..zuxwoh
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] type 4
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] CertListAndTypeForModule: I have no cer
tificate to send
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] GetDAGIP: ID 40791302 not in DAIP range
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] CFwdCommStreamLocal::Write called
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] CFwdCommStreamLocal::Write sent 248 byt
es
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] RespMMPacketError: error in FWIKE_EXCH_
MAIN_MODE - FWIKE_MM_PACKET_6_PROLOGUE
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] < FWIKE_ROLE_INITIATOR > Id
= 80
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] ike_initiator: entering
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] InitiatorOnEnter: idRanges NOT USED min
e [0-0] peer's [0-0]
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] findSAByPeer: Find SA with cookies 71cb
c645f40c8304,bc0d599976e0de1e from packet
[vpnd 891 1]@saintpeter[19 Jun 13:38:59] findSAByPeer: Valid ISAKMP SA was not f
ound. me=0, peer=40791302

[ttpm123]

Are scc commands server or client side?

[RayPesek]

What is the precise wording of the certificate error message?

Make sure the date and time on the firewall and the remote clients is accurate to within a few minutes.

How are the end users authenticated?

Ray

[ttpm123]

RayPesek; thanks for the advice. I have seen the clock problem before - in fact I fixed a vendor SC connection yesterday with that solution.

Our connectivity was restored after many hours with CP support. My access to the console is via vpn, so it took awhile to get in. The root cause was an expired internal_ca. It expired today without auto-renewing or any warnings in the prior 30 days. CP says this might be a bug (R60A).

I have setup emergency access via SR/login/pwd from an internal static. I need to consider other methods also.

Thank you for your input.

[RayPesek]

The root certificate for the internal CA expired? Wow. When I created a CA in R55, it had a 20 year lifetime. Check Point hasn't even been in existence long enough for it to expire.

Are you sure it's not the 5-year VPN certificate instead? You can go to the gateway object, un-check VPN-1, save it, open the gateway object, re-check VPN-1, save it and push the policy. That will put a new certificate on without affecting the root certificate.

Do you have web access to the internal CA via port 18265? If you don't know what I'm talking about, there is a site on https://<smartcenterIP>:18265 that lets you access the ICA and check on certificate status, etc.

You need an administrator certificate and it's turned on via a command line command. There is an SK article on it.

Ray

[masterloo]

Quote:

Originally Posted by RayPesek

The root certificate for the internal CA expired? Wow. When I created a CA in R55, it had a 20 year lifetime. Check Point hasn't even been in existence long enough for it to expire.

Are you sure it's not the 5-year VPN certificate instead?
Ray

heard of the exact same behavior lately, going to ask my buddy what it was.. and yeah it was the ICA. Don't think it was 60a though.