 | ||
 UNABLE TO ESABLISH SIC ? | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-01-25 | |||
| |||
 UNABLE TO ESABLISH SIC ? I have a windows management station running NG Feature pack 2 build 52085 The enforcement module is a Nokia IP300 Now it looks like the last good policy is installed and working, however we cannot open the policy editor. when we enter the credentials it just loads up the "Demo" policy. & Presumably I need to re-establish SIC? This is where my problems start because when I try cpconfig from the command line It opens the gui Checkpoint configuration tool where the only tabs are Licenses, Administrators, Gui Clients, Key Hit Session Certificate Authority, Fingerprint. The only mention of Sic in this tool is under Certificate Authority where it says "Certificate Authority Status: Your certificate authority is initialised" The rest is then greyed out including any mention of SIC Any ideas how I can fix this? Please I'm desperate!!!  |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Login to Enforcement Module > type cpconfig > in option SIC mention some secret. Connect to Smart center server from Smart Dashboard creat an object for the enforcement module and in the activation key mention the same secret. this should solv your purpose. before that check Smart center server and Enforcement module are accesible to each other |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Based upon what you are saying then I would say that when you open the policy editor, then the IP of the SMARTCenter is set to *local This will load up the demo policy. If you enter the actual IP address of the SMARTCenter instead then should open up with the correct policy. This is NOT a SIC issue. PS Upgrade your system as NG FP2 hasn't been supported for quite a while. |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Quote:
Many,many thanks for the assistance here. This is what happens when i try to connect. To get onto this management station I VNC to it's public natted address. I then open the policy editor and in the Management server box i add the REAL ip address which is 10.10.2.2 I then add the relevant username and password. However I am then presented with the following error connection cannot be initiated, make sure the server "10.10.2.2" is up and running ? Any idea, I'm desperate now!! |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? So 10.10.2.2 is the smart center (windows management station). On this windows box access the dos prompt box and run cpstart..this will start the checkpoint services. or tell you if they have already started. You also have to confirm where the mgmt sit's in relation to the firewall and where you connecting from, as your firewall policy might be preventing comms. Quite basic stuff to be fair.... |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Quote:
If i'm already VNC'd onto the management station then surely I'm not going throughthe ACTUAL ENFORCEMENT MODULE anyway? So, as far as I can see 1. I'm already connected to the managment station via vnc 2. If I open CPconfig then I can see that my local address 10.10.2.2 is defined as a gui client 3. Checkpoint services ARE running on this machine 4. When I run the GUI client FROM the management server, that is when I get the message about making sure the server is up and running 5. there are some other addresses defines as gui clients Now these addresses should try and connect via the managment servers natted address. Hwoiever when I try and connect to the public address from theinternet i get the following error THE CONNECTION HAS BEEN REFUSED DUE TO ONE OF THE FOLLWING SMARTCENTER SERVER CERTIFICATE PROBLEMS: 1.THE SMARTCENTER SERVER CLOCK IS NOT SETUP PROPERLY 2.THE CERTIFICATES ISSUE DATE IS LATER THAN THE DATE OF THE SMARTCENTER SERVER'S CLOCK 3.THE GUI CLIENT'S CLOCK AND THE SMARTCENTER SERVER'S CLOCK ARE NOT SYNCHRONISED 4. THE CERTIFICATE HAS EXPIRED 5. THE CERTIFICATE IS INVALID 6. I AM VERY VERY CONFUSED, THIS IS HIGHLY ILLOGICAL!!! |
| 2008-01-30 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Try the following maybe? - cprestart - reset your admin password - Try to telnet to your ip on port 18190, see if this port is opened? For myself, i have a weird issue, if i connect directly to a smartcenter, i get the error you got, but if i login to demo mode 1st, then retry, it works... for myself, i do believe its due to my laptop having multiple versions of smartconsole, as i'm an engineer, i have all versions of smartconsole installed frm r55 up.. |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? OK, this is still not working, so here is what I have actually done 1. stop and started the Checkpoint services ON the management station! 2. Once I have don this I CAN telnet to port 18190 from BOTH the management station & from the INTERNET to it's natted address 3. The error I get when I try to connect locally is "connection cannot be initiated make sure that the server "10.10.2.2" is up and Running" & the error from the internet is The connection has been refused due to one of the following SmartCenter Server Certificate problems: 1.The SmartCenter Server's clock is not setup properly 2.The certificates issue date is later than the date of the SmantCenter Server's clock. 3.The GUI clients clock and the SmartCenter Serve's clock are not synchronised. 4.The certificate has expired. 5.the certificate is invalid. OK, I'm desperate now! We have now way into Checkpoint for them to answer this, so I'm really stuck & obviously we can't manage the firewall at all as it stands! Anymore pointers would be greatly appreciated The only other anomaly, which may or may not be relevant is on the CPCONFIG tool. The "Apply" button is greyed out. Even when I tried to add a new administrator all I could do was hit the "OK" button & not the apply! Maybe a red herring? HELP!!!!SOS!!!!!HELP!!!!!SOS!!!!!HELP |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Try to connect to "127.0.0.1" in the server line. Check to make sure 127.0.0.1/localhost is listed as a GUI client. Another thing to check is the license on the SmartCenter cd %fwdir%/bin fw printlic **It might be cplic print in fp2** Can you connect with the log viewer? |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Tried 127.0.0.1 Still the same! can't connect to logviewer either! Here is ouput from licprint Z:\>cplic print Host Expiration Features 10.10.2.2 never FW1:5.0:REMOTE2 FW1:5.0:CONTROL FW1:5.0:VPNMGMT FW1 :5.0:VPNSTRONG FW1:5.0:DBVR_SINGLE CK-BEA091ACBAD1 |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? I would download the license from the Check Point UserCenter and reattach this to the SMARTCenter. Also check the date and time of the Management Server to make sure correct. When you run the cpconfig on the Management Server there should be a section for the Certificate Authority or ICA, what does it state under there. |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Quote:
Certificate authority status: Your Certificate is initialised! EVERYTHING ELSE ON THIS TAB IS GREYED OUT INCLUDING THE BUTTON WHICH STATES "INITIALISE AND START CERTIFICATE AUTHORITY" i COULD HOWEVER STILL CHANGE THE "CHANGE MANANGEMENT FQDN" IF I WANTED TO! |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? try debugging management and see if u get more info fw debug fwm on TDERROR_ALL_ALL=5 (or something like that, check cli documentation) try to connect, then check file $FW(CP)DIR/log/fwm.elg |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Quote:
"M 1260]@BACS SIC Error for cpmi: Got alert from peer that the certificate expired" & when I try to connect locally I get this "SIC Error for amon: Certificate expired" So I beleive this means I need to reset sic! So at the command line I type >fwm sic_reset Then I get this reply! >There are IKE Certificates that were generated by the internal Certificate Authority. Please remove them (using the Policy Editor) so that the internal Certificate Authority can be destroyed." "SIC Reset operation could not be completed". So off I go to Checkpoint Secure Knowledge Solution ID: #sk14532 Which then instructs me how to fix this by LOGGING ON TO THE DASHBOARD Can someone tell me why this might not work?? |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Quote:
BUMP!!!!!!!! |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? OK, after much frustration I found a Cert revocation list with a certificate that expired last november! If a change the mangament server clock to 2007 instead of 2008 it starts to work!! How is this?? |
| 2008-01-31 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? Try setting the clock back on the SmartCenter to just before the certificate expiration date. Then run a cpstop and a cpstart and see if the certificate renews itself. Ray |
| 2008-02-03 | |||
| |||
| Re: UNABLE TO ESABLISH SIC ? I do believe the cert will auto renew itself, but i only know this of NGX, prior versions i'm not sure... i'm pretty sure NGAI R55 does that too... U cant reset SIC due to that u have VPNs running i believe? This seems like a destructive move, but u cant be anywhere worse then now... try.. IF 1) Your Site-to-Site VPNs are using pre-shared keys NOT cert 2) Your RemoteAccess VPNs are using local checkpoint database NOT cert Procedure - Backup configuration using upgrade_export - Roll back clock so everything works - remove your vpn cert in firewall object - cpstop - fwm reset_sic - cpstart - login to dashboard - reinitialise your vpn cert This should resolve your issue.. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
