fwm sic_reset impact ?

[walcat_0]

Hi,

Will executing the command

fwm sic_reset

On my manager have any immediate effect on my enforcement points ? I know i will need to restablish a trust with them but will it bring down any VPNs those enforcement points have active at the time ? Or any other effect ?

Thanks
Walcat

[Thorpuse]

If you are using certificate-based VPNs, you will invalidate your certificates because you've blatted your certs. So you run the risk of losing authentication if a tunnel re-negotiates. I also believe that remote-access VPNs will have problems until you re-establish trust with the Gateway.

I wouldn't do the fwm sic_reset until you're absolutely sure its necessary. If you can, log a call with CP to validate that you have to do this first.

[mcnallym]

You should only do the fwm sic_reset command if no other choice. It really is a pain having to remove all of the VPN config from the policy, turn off the VPN on the gateways etc.

You then have to reenter all of the VPN config leading potentially to mistakes in incorrectly configuring the VPN again, and then having to push the policy, I also personally do a vpn tu and reset the tunnels once the policy push has been done to force the negotiation again.

It shouldn't affect existing connections, but you won't get new connections if memory serves me correctly.

[walcat_0]

Thanks for the reply guys.

I am thinking i need to fo this because of the following, though if there is another way please shout out.

I recently created a new CP FW object but had the attatched error displayed when i clicked OK.

I also tried to view the certificate on the other enforcement points managed by the manager and got the error attatched.

I am at a loss as to how to resolve this hence i was going down the fwm sic_reset route, but to be honest didnt realise i would need to reconfig all the vpn stuff again.

Ideas anyone ?

Thanks

[mcnallym]

When you get that sort of message then yes, I believe you will need to reset the CA on the SMARTCenter.

It requries you to delete all of the existing certificates that the CA has created, hence the need to remove the existing VPN config. If there are still certs then the fwm sic_reset won't work.

[manrag]

If youre using simplified mode you will only have to get your gateways out of the communities, and disable VPN rules. After the fwm sic_reset just include the gateways in the communities and enable the rules.

[walcat_0]

Thanks for the replies guys.

If i am not using certificates for the VPNs but shared secrets will this still effect the VPNS and will i still need to do things you have suggested ?

Thanks

[mcnallym]

Even if using pre-shared secret, when you enable VPN in general properties of the gateway then it will generate a certificate that needs to be deleted. This requires that the gateway not be used in any VPN configuration and that then the VPN tick box is unticked.

[walcat_0]

Hi,

Well the fwm sic_reset went ok all enforcement points still working, logging and VPNs working fine.

But...The HA management has stopped working, the SIC is established, but the HA management fails with 'failed to synchonize, reason : failed to connect to the peer'

Any ideas ?

Thanks

[Thorpuse]

You'll need to re-set the SIC between the Secondary and Primary SmartCenter servers. You may also need to perform a fwm sic_reset on the Secondary SC.

[walcat_0]

If i test the SIC on the secondary servers object it comes back without issue, and says they are communicating ?

Do you still think it might need resetting ?

Thanks

[Thorpuse]

I'd still do the reset. But you may want to log a support call with CP first.

[walcat_0]

Well thought i 'd post an update.

Tried resetting the SIC on the secondary manager as suggested but this didnt work wither, still getting message 'Failed to connect to peer'

Again can see two comms on the snoop on the secondary manager between the two managers, but not working.

I have managed to fix it though after help from this site (thanks guys)....

Here's how

On secondary manager
1. CPSTOP
2. cd $FWDIR/conf/mgha
3. Remove or rename files in that directory
4. CPSTART

On the primary/active manager
1. In dashboard, policy----Management high availability
2. At this stage the staus was now 'Never syncd'
3. Performed manaual sync and worked first time both servers synd

Thanks for everyones help, hope this helps in the future