Managemnet HA Sync error

[Tenchi-Man]

Hi,

Any idea about the R55 Management HA fails to synchronize with error "policy save Failed to merge the ICA DB. Possible security error!".

It works properly for over half a year before.

Thanks

[Simon Richardson]

hi,

I have a customer with the same error. Same version, on Windows 2003

The full error is

failed to syncronize
Reason: failed to merge the ICA DB. possible security error !!!

Its now showing as 'lagging' - logging is still going on on the secondary, and the SIC is still fine.

Again, this customer's has worked fine for over a year. All we did was try to troubleshoot an enforcement module that wasn't logging to the secondary smartcenter. we didn't change any of the policy per-se. We didn't edit the masters file on the enforcement module, just changed within the enforcement module object the 'order' of logging of the smartcenter servers, under the Logs and Masters tab of the SmartDashboard.

Logically this is an issue with the Internal CA of the Primary or Secondary getting out of sync, but I've tried copying from the Primary to the Secondary to

InternalCA.p12 and the InternalCA.NDB* files and InternalCA.crl file

I haven't yet looked to see if there's a /conf/crls/ICA_CRL0.crl file on the secondary or primary.

Any ideas as this is clearly something other people have come across but maybe not posted resolutions ?

cheers

Simon

[varera]

please check the time setting for primary and secondary MGMT objects. they should have exactly the same time.

[S-Express]

I'm afraid I don't have anything to add apart from a "me too" response. I found this post using Google when our HA setup started having the same issue today.

I have verified the time setting between the servers and that's okay. I also had a trawl through the Checkpoint Secureknowledge page, and there is nothing applicable to this problem.

I'll investigate further using Simon's post as a starter, but thought it would be worth bumping this post to see if the other users have resolved this issue.

Thanks

Martin.

[S-Express]

Well, I thought I'd have a stab at fixing it myself. I ended up copying over the /conf/InternalCA.* and /conf/ica.* files from the primary to the secondary. This has fixed my ICA DB sync error.

[humayun]

What's the command to change the time?

[gt2847c]

The recommended method is to use NTP for time sync. That makes sure that primary and backup stay in time sync. There are a number of public NTP servers out there if you don't have one internally. Googling for NTP servers or the US Naval observatory will net them for you. Time settings, NTP, and others can be set either by command line (non-expert) mode or through the web interface.


BTW, I'm grateful for the InternalCA.* files fix. I use NTP to keep my clocks set correctly as I have an internal pair of GPS based NTP servers, but time wasn't the issue. My secondary had been lagging for a few weeks which normally doesn't bother me much as one is in the US and the backup is in Europe, so they typically lag after a rule change/save. I just recently tried to force the sync to make sure all was well, but got the message about the ICA db being out and when I checked, the dates and sizes on the InternalCA file showed them to be quite out of date on the backup box.