Cannot connect to SmartCenter - tried everything

[huskercheese]

Okay...I've tried everything I could find on the internet to connect to SmartCenter Dashboard,Tracker,Updater,etc, etc with no luck. Background:
This Smartcenter server has been upgraded from NG to R55 to R60. The enforcement points are Nokia IP350s running IPSO 3.8. Two are in a VRRP cluster and one is a stand alone. All three Nokia's are running the R55 package and being managed from an R60 SmartCenter.

The original problem was upon logon the connection is refused due to the clocks not being setup properly, not matching, certificate invalid or expired message.

If I set the clock back a week on the SmartCenter server I could log in fine. Once logged in if I tested the SIC communication I would get an SSL error referencing an expired SSL certificate on peer on all three of my enforcement points.

I've done the cpstop/cpstart on the Management server at least 20 times. I've done cpstop/cpstart on the passive node of the cluster a dozen times. I've attempted to reset the SIC on the same passive node and in the Dashboard through the passive enforcement point properties.

The SIC reset on the enforcement module has brought the firewall down. Its unable to fetch the firewall policy from the active node or from the management module. Can only reach it via ping when cpstop is ran.

Then today I decided to revoke the SmartCenter certificate (cpca_client revoke_cert/create_cert). That wouldn't work at first. I was getting the following error when trying to create:


cpca_client create_cert -n "cn=cp_mgmt" -f "$cpdir/conf/sic_cert.p12"
Error. rc=-1 err=-91 There is already a certificate with the specified details

After revoking and attempting the recreate I am no longer able to log in to the dashboard if I set the clock back on the management server. I now get "the connection cannot be initiated... make sure <server> is up and running and you are defined as a GUI client"

Looking at the registry HKLM\SOFTWARE\CheckPoint\SIC I noticed the CertPath was different than $CPDIR. The registry references "C:\Program Files\CheckPoint\CPShared\NG\conf\sic_cert.p12" while cpdir variable is set to "C:\Program Files\CheckPoint\CPShared\r60". So I modifed the CertPath key (after exporting it) to match what the cpdir variable. I was able to revoke and recreate a certificate referencing sic_cert.p12 in the r60\conf folder. I changed the key back to its original value, did a cpstop/cpstart and was able to revoke and recreate the certificate succesfully. However, I am still unable to log into any SmartCenter application.

I'm dead and drifting here. Please help!!

[MarioL]

"If I set the clock back a week on the SmartCenter server I could log in fine. Once logged in if I tested the SIC communication I would get an SSL error referencing an expired SSL certificate on peer on all three of my enforcement points."

I'd guess this was because of the date mismatch between the SmartCenter (which you moved back a week) and the modules (which you didn't). Anyway, moving on.

"After revoking and attempting the recreate I am no longer able to log in to the dashboard if I set the clock back on the management server. I now get "the connection cannot be initiated... make sure <server> is up and running and you are defined as a GUI client""

If you create a new Cert with today's date and then move the date back a week, the cert won't be valid, since the date is before it's issue date. That might be your case. Anyway, if you are going to reset and do everything from scratch, please set the dates right on all devices.

What I would do:
1 - check SmartCenter version on the box
2 - check SmartCenter services are running
3 - check the SmartClient version you have on the client PC (GUI version)
4 - check you can reach the SmartCenter server from the GUI PC
5 - connect

If you have a firewall module running on the SmartCenter server you might need to unload policy

If this still fails you might want to check that the client PC is defined as a GUI client properly.

Hope that helps.

[huskercheese]

I'm trying to connect from the SmartCenter server. It appears that I have successfully renewed the cert but I am still getting the refusal message at login referencing invalid or expired cert.

Any ideas why?

I did do an upgrade_export before I started messing with this. If I were to build a new server w/ the same name and IP address and import the .tgz file would I be importing the expired ssl certificate as well and end up with the same issue?

[huskercheese]

I got this to work again.

I ended up changing the certpath in HKLM\SOFTWARE\Checkpoint\SIC from "C:\Program Files\CheckPoint\CPShared\NG\conf\sic_cert.p12" to "C:\Program Files\CheckPoint\CPShared\R60\conf\sic_cert.p12." Did a cpstop/cpstart, then did a revoke_cert and a create_cert, then another cpstop/cpstart. I was able to login to all SmartCenter apps and all SICs are communicating.

[RayPesek]

Glad you got it working and thanks for the follow-up note. Things like this are one of the reasons it's better to create an upgrade_export and reinstall the SmartCenter completely from scratch rather than doing in-place upgrades.

Note to self: Do not try and use Add/Remove Programs to remove old R55 components. You can break things after an in-place upgrade was done.

I once removed Floodgate for R55 and it hosed the QoS function on R62. It turns out that if the upgrade detects certain old components that are still the same version, it will not install the new version, just re-point the old pieces-parts.

Ray