Help with demo -> nondemo license

[osterber]

OK - I'm a bit stuck. I'm trying to migrate a setup with a demo license to a non-demo license, and it's not working correctly.

My setup is as follows -- single server with three interfaces running SecurePlatform. I'll call my IP addresses <internal>, <dmz> and <external>. I have my SmartCenter and Firewall installed on the same host.

I had a demo license that contained:

Code:

Sign {
LICENSE <internal IP> 07Nov2007 CPMP-EVAL-1-NGX CK-<keystring>
}= Az8yWh8m-hDHxAu7xi-2vXYPGwUJ-SkQVfRMxf Index=3 Version=0
Sign {
LICENSE <internal IP> 07Nov2007 CPMP-EVAL-1-NGX CK-<keystring>
}= vM29yoX4-xkZde2ZZT-khowgoegv-iA56kdk9d Index=0 Version=0

I loaded this into SmartUpdate, and attached it to my server, and everything worked great. The gateway was working, SmartCenter was working, etc., etc., etc.

So I just got my full offiical license. It's license file is:

Code:

Sign {
LICENSE <internal IP> never CPXP-CI-VPX-100-NGX CK-<keystring>
}= dvXaWrRh-nXzg4TTph-CnD5VLQrw-6GFKYYALb Index=3 Version=0
Sign {
LICENSE <internal IP> never CPMP-SCT-3-NGX CK-<keystring>
}= FNfv3V2j-ik7t4uYuQ-nRPdyWvar-ery5roZkz Index=0 Version=0

When I try to load this file into my SmartUpdate, I get:

Code:

Cannot save the license 'CPMP-SCT-3-NGX@.....'
Mismatch between IP address of CheckPoint Gateway and local license

So in my license respository, I have the demo license, and just the 'CPXP-CI-VPX-100-NGX' license. If I attach the CPXP-CI-VPX-100-NGX license to my server, then the gateway continues to work, but SmartCenter doesn't work.... if I try to connect with SmartTracker or SmartDashboard, I'm told that there are no valid licenses.

What am I doing wrong?

One thing, perhaps it helps, in my SmartUpdate display, my 'License Management' page looks like:

Code:

 -  <internal IP>
   -  <firewall name>       <external IP>    NGX
      - CPMP-EVAL-1-NGX                       NGX

What am I doing wrong?

-Rick

[Danielpb]

Quick question....

Is the Licence you created a Local or central license?

As this could be the issue if you attaching you local license to your external IP address.

just a thought.....

[osterber]

Both my demo and non-demo license are central.

-Rick

[chillyjim]

Do you have your topology set?

Try to add the license from the command line and see what it tells you.

[osterber]

Topology is set. Set enough such that everything works (including VPN stuff) with my demo license.

Checkpoint licensing said that the solution is to license with my external IP address. Huh? Everything I've read suggests that I should be licensing against my internal IP which is my SmartCenter IP. (Though SmartCenter is on the same host... so SmartCenter technically has all three IPs on it, too.)

-Rick

[dsb.nepo]

mystery checkpoint...

take a look into /etc/hosts
I had simmilar problems with tricky split dns zones and Splat adjusts the settings without telling.

[mcnallym]

If you have an all in one box with gateway and management on 1 box then yes I would recommend that you license on the external address. It just makes life a lot easier where the license address in question matches the external address, which is what will be VPN connections to. Just makes life easier in terms of VPN.

If in a split environment then yes I would use the internal ip of the smartcenter which is what you will read in the docs etc.

I take it that the object definition for the gateway/module box shows the external ip address, and that is what is in /etc/hosts hence why Check Point say to license on the external.

[cciesec2006]

I think there is a bug with the SmartUpdate GUI. To make sure that is
NOT the case you can do the following:

1) download the licensce to your SmartCenter /tmp directory. Make
sure you use binary and NOT ASCII file transfer,

2) on the SmartCenter do the following:
cplic put -l /tmp/license.lic

If the license is not corrupted and correct, it will work.