Another urgent help!!!

robori · #1 (**permalink**) 2007-03-14

Hi,

My NGX R60 Mgmt Console has stopped working since yesterday, the service just doesn't start as you can see from the output below:

[Expert@SecPlat_R60]# cpstart
cpstart: A file is missing or has been modified. For more details run `cphash -v`

[Expert@SecPlat_R60]# cphash -d -v cpstart
[ 10576 2002723488]@SecPlat_R60[14 Mar 11:13:54] is_initialized: new process or forked
[ 10576 2002723488]@SecPlat_R60[14 Mar 11:13:54] rand_add_seedfile: Failed to read seed
[ 10576 2002723488]@SecPlat_R60[14 Mar 11:13:54] fwrand_write_seed: Failed to read seed.
[ 10576 2002723488]@SecPlat_R60[14 Mar 11:13:54] fwrand_write_seed: Failed to write seed.
[ 10576 2002723488]@SecPlat_R60[14 Mar 11:13:54] verify_files: cpshared_filename failed

Have you guys already seen a problem like this ?

I've searched this problem in Checkpoint's Knowledge base but couldn't find anything, so I decided to install SPLAT on another machine and restore the backup I had.

Now I've installed Splat on another machine (different hardware) to RESTORE the .tgz file I have from the BACKUP of the problematic Smart Center Server. It brings me all the system configuration such as routes, crontab, users and interface configurations, but not the Rulebase and all the objects , which are the most important for me.

Do you know if the EXPORT or Upgrade_Export commands would be useful for me ? How do I use this tools ?

Thanks a lot !!

Robori

melipla · #2 (**permalink**) 2007-03-14

Quote:

Originally Posted by robori

Have you guys already seen a problem like this ?

I have not.

Quote:

Originally Posted by robori

Now I've installed Splat on another machine (different hardware) to RESTORE the .tgz file I have from the BACKUP of the problematic Smart Center Server. It brings me all the system configuration such as routes, crontab, users and interface configurations, but not the Rulebase and all the objects , which are the most important for me.

Do you know if the EXPORT or Upgrade_Export commands would be useful for me ? How do I use this tools ?

I would use the "backup" and "restore" functions. Be aware that when you run the "restore" it will tell you which files it will restore. There's two categories--system and checkpoint data (the second category is labeled wrong because I can't remember exactly what CP calls it). The Check Point data will NOT restore if you do not have IDENTICAL products installed. Run a sysconfig -> 10 (Product Installation) -> Next -> Accept License -> compare this list to the new hardware list.

Install identical products and re-run the restore.

robori · #3 (**permalink**) 2007-03-14

Thanks for your comments!

Well, when you issue the RESTORE command there are two options to restore: System and Cp_products. Now I understand why the rules and objects weren't restored, that's because I could only select System. : (

I'm trying to select Cp_Products in the restore time, in the problematic box itself (in the Management Station which I can't "cpstart"), but it doesn't allow me to do so. It just lets me select SYSTEM. WHy is it ?

Thanks again

melipla · #4 (**permalink**) 2007-03-14

Quote:

Originally Posted by robori

Well, when you issue the RESTORE command there are two options to restore: System and Cp_products. Now I understand why the rules and objects weren't restored, that's because I could only select System.

Yes, as far as I know, you can only restore CP Products if the restore utility detects that you have the same products installed.

Quote:

Originally Posted by robori

I'm trying to select Cp_Products in the restore time, in the problematic box itself (in the Management Station which I can't "cpstart"), but it doesn't allow me to do so. It just lets me select SYSTEM. WHy is it ?

You need to verify that you have the same products installed as when you took the backup.

I don't recommend restoring to the problematic server unless you reinstall it. I'd suggest that you use your temporary server, use sysconfig to identify products installed on both servers.

robori · #5 (**permalink**) 2007-03-14

Hmmm, okay.

I'm doing what you suggested right now, I'll let you know how it goes !!!

Thanks a lot !!!

robori · #6 (**permalink**) 2007-03-14

Thanks very much Melipla!!

I followed all the steps and it worked very well !!!! Both the system config and the firewall rulebase and all objects are in place now!!!

Wahooo !!!

Again, thanks a lot for your helpful hints !!!!

: )

Robori

robori · #7 (**permalink**) 2007-03-15

Now there's a little bit of a problem. I reinstaled SPLAT R60 NGX products on the same machine/hardware and used the RESTORE command. Now everything looks good, system settings, objects and rules, OK!

But in Smartview MOnitor every gateway is showing the UNTRUSTED status and I can't actually manage the firewalls or install policy.

I'd like to know how to re-stablish de SIC, I'm trying using cpconfig on the gateway and after that reseting on the firewall object on the SmartDashboard but it doesn't work.

Do you guys have a clue on what's the problem ?

Thank you!
Robori

melipla · #8 (**permalink**) 2007-03-16

Quote:

Originally Posted by robori

But in Smartview MOnitor every gateway is showing the UNTRUSTED status and I can't actually manage the firewalls or install policy.

I'd like to know how to re-stablish de SIC, I'm trying using cpconfig on the gateway and after that reseting on the firewall object on the SmartDashboard but it doesn't work.

If you need to re-establish SIC, log into the remote gateway, run cpconfig select the SIC option and re-initialize the trust w/an activation key. Then on the SmartCenter server, open the object click on Communication button and click Reset, then type in your activation key and click initialize. If there are problems, it will display in this window, so save the output.

One thing to check, on the remote gateway run cpconfig, and select the SIC option, what does it say the "Trust State" is? Then check the Dashboard and see what the Trust State is listed as under communication.

leekutti · #9 (**permalink**) 2008-08-31

Hi All Guru,
I have problem to set a SIC on the Firewall module and Smart centre server communication.

I did the following
1. through console cpconfig- SIC estabilished
2. Smart centre - on the Firewall module MY-fw1- communication - reset and initiate the SIC .
the following error occurs.
any solution to fixthe problem.

SIC Status for MY-fw1: Not Communicating

Peer does not have a certificate for SIC [error no. 111]

** Try to re-establish the trust **

When I install Policy on the MY-fw1- ERROR below.

Installation Targets Version Policy Type Details

MY-fw1 NGX R65 Advanced Security Installation failed.

Reason: Peer sent SIC name that is different than the one configured for it on SmartCenter Server try to reset SIC at the peer and re-establish the trust.

regards,
LEE

mcnallym · #10 (**permalink**) 2008-09-01

Double check that the name defined on the SMARTCenter Object for the Gateway is the same as that is defined as the hostname on the actual gateway and that on the gateway there is a localhost resolution for it's own name.

leekutti · #11 (**permalink**) 2008-09-01

I checked both smartcenter and firewall module name are same.

Firewall module console : trust state: initialized but Trust was not established.

Smart center firewall object communication :- Trust state :-Trust estabilished

any other clue to fix this problem

regards,
LEE.

msjouw · #12 (**permalink**) 2008-09-01

Lee,
try running fw unloadlocal on the gateway before trying to establish the trust, sometimes the local policy will disallow the trust to be established.
Regards, Maarten

leekutti · #13 (**permalink**) 2008-09-02

Maarten,
did execute the command " Fw unloadlocal" and tried the SIC estabilsh. No joy.

same error on the smart center SIC status

"SIC Status for adc-fw1: Not Communicating

Peer does not have a certificate for SIC [error no. 111]

** Try to re-establish the trust ** "

the gateway module SIC status
"Initialized but Trust was not established"

after activate the key and exit the error message
"Reason: SIC Protocol Error [ SIC error no. 300 ].
Policy Fetch Failed
Failed to fetch policy from masters in masters file"

any clue to fix this problem.
LEE.

melipla · #14 (**permalink**) 2008-09-03

Quote:

Originally Posted by leekutti

"SIC Status for adc-fw1: Not Communicating

Peer does not have a certificate for SIC [error no. 111]

In smartdashboard under the gateway object, do you have "VPN" checked in General Properties? [If you didn't, you have to click OK before the cert is generated] In the VPN section of the gw object, is there a certificate listed under "Repository of Certificates Available to the Gateway"?

msjouw · #15 (**permalink**) 2008-09-03

make sure the host defenition on the gateway is properly set and the object has the same IP and name. then reset the sic and try again.

Regards, Maarten.

leekutti · #16 (**permalink**) 2008-09-04

Hi there,

NOJOY.

Host name and the IP address are same on both smartcenter server and gateway module.

Smart center server - VPN option checked and the certificate is list under the "Repository of Certificates Available to the Gateway".

PS:- the gateway module had communication with smart center until I was established new SIC established on the gateway and Smart center. but the smart view tracker gate way Status was "UNTRUSTED".

this is some thing weird.

regards,
LEE.

melipla · #17 (**permalink**) 2008-09-05

Quote:

Originally Posted by leekutti

SIC Status for MY-fw1: Not Communicating

Peer does not have a certificate for SIC [error no. 111]

** Try to re-establish the trust **

When I install Policy on the MY-fw1- ERROR below.

Installation Targets Version Policy Type Details

MY-fw1 NGX R65 Advanced Security Installation failed.

Reason: Peer sent SIC name that is different than the one configured for it on SmartCenter Server try to reset SIC at the peer and re-establish the trust.

I'm guessing you've never successfully established SIC with this gateway?

Can you verify that the traffic between the gateway and the smartcenter server is not being NATed?

Did you have any problems installing the gateway, say with the random pool or anything else?

leekutti · #18 (**permalink**) 2008-09-08

Hi,
No NAT ing in between the Gateway and Smart centre server. It has connectivity until last week. when I found the " UNTRUSTED" mode on the Smartview monitor and establish the SIC, it lost connectivty it seems.
any clue .
PS :- Time - smartcentre and gate time are same.

Still no Joy.

regards,
LEE.

msjouw · #19 (**permalink**) 2008-09-09

Lee,

Do you know if there are any changes in the path between the Gateway and the Smartcenter, try telnetting from the smartcenter to the remote firewall on the 18190 and 18191 ports.
normally the firewall should allow this connection. Make sure you run a fw monitor while doing so, then you can see if there is any traffic coming back.

I once had many problems like this with some WAN Accellerator box in between that was doing some caching and yes it chachjed the SIC packet.

borek · #20 (**permalink**) 2008-09-09

Once i had problem with establishing SIC. It was caused by the not running (seg faulting) cpd daemon.

Just to be sure check the main processes: cpwd_admin list

In my case i did restart (it was when the new 2.6 kernel splat was released) and it worked.

borek

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode