SIC cannot be established

[gt123]

I'm hoping someone could help me on this one.

I am running NG R55 on my Windows 2K Smartcenter server. It had a C and a D drive on it with the installation files being on Drive D. The C drive crashed and I could not longer boot up. I took the D drive and was able to slave it onto another workstation so I could access the files.

I got another server and installed W2K and then installed the management software (R55) . Then I did a straight file copy of the conf and the database directories over to the new server. I am not able to perform the upgrade_export utility on the old drive.

I am able to bring up the Smartdashboard now and view the policies but the mangement server remains untrusted with the modules.

I am not able to reset the SIC between the new management server and the enforcement module . When I try, I get a "Peer sent wrong DN try to reset SIC at the peer and reestablish the trust " message.

I'm hoping you can help on this. Thank you in advance.

[RayPesek]

Did you use exactly the same computer name for the new SmartCenter?

Do you use the certificates for anything other than SIC? Such as user certificates for remote access? If not, there is a command you can run that will destroy the certificate authority and build a new one.

Did you already run the SIC reset on the firewall or is this when you get it? What steps are you doing in what order?

I'd get an upgrade_export right now, though. :-)

Ray

[gt123]

Did you use exactly the same computer name for the new SmartCenter?

I am not sure if I used the same computer name. The Windows administrators built it again using the same name but the only difference is that the new box is on the domain while the old box was in a workgroup. I believe that the name may be different when you include the dns suffix. Sorry, we were suppose to consolidate them onto our management server so I wasn't backup up or paying attention to the names.


Do you use the certificates for anything other than SIC? Such as user certificates for remote access? If not, there is a command you can run that will destroy the certificate authority and build a new one.

No, we are not using the certificates for remote access. Is that command fwm sic_reset ?

Did you already run the SIC reset on the firewall or is this when you get it? What steps are you doing in what order?

Yes, I already ran the sic reset on the firewall and I tried to do this on the smartdashboard but no luck. I did the firewall first and then the smartdashboard and reversed it as well but no luck.
The message I get does indicate a incorrect computer name and ICA as the message I get points to the name in the ICA file.

Does the fwm sic_reset destroy this and builds a new one ?

[Thorpuse]

Your SIC is stuffed.... the files you need are in the $CPDIR directory, which IIRC defaults to C:\Program Files\Checkpoint on a Win2K build. Without the $CPDIR/conf and $CPDIR/database directories, what you've done is way to flaky to be reliable.

Best solution would be to find an old upgrade_export (you did archive these on a seperate box, right???) stop the SC, extract these directories manually, and place appropriately. That might (if you're lucky!) get your original root CA going. Or another way might be to run the upgrade_import, and then copy the newer $FWDIR/conf directory over the top of that. You may have more success that way.

Either way, your system is going to be flaky from now on. Honestly, I'd find a way to extract the rules and objects, and rebuild from a base system again.

[gt123]

I got it going. Here's what I did.

1) reinstalled the Management server software
2) Manually copied the files over from the /conf and the /database directories in the $FWDIR and the $CPDIR except the ica files.

Then I was able to establish a sic with the firewalls and able to push policies.

[RayPesek]

Thanks for the follow-up,

Ray