Can't connect to FW with SmartDashboard

[Speedtre]

When I try to login to the SMartDashboard from my desktop I get this error:

"Connection cannot be initiated. Make sure the server is up and running."

I have also tried connecting from another machine withe Smart client loaded and I get nothing. I have checked the allowable IPs in cpconfig and they are all correct. The firewall is still passing traffic fine, I just can't get to it to manage it anymore. I've tried unloading the policy from the firewall but it still won't let me connect. The last thing I did before it stopped working is a put a rule above the stealth rule(as in it's the very first rule) that implicitly allowed me to telnet from my workstation to the solaris box the firewall is running on. I assume it must have something to do with that....? Any ideas would be greatly appreciated.

Thanks!

[gavvys]

Hi
I have faced the same problem when generally running a SPLAT.
Then what I do...I reset the SIC and then access the Smartcenter and then create a rule on the top to accept CPMI(18190/tcp)connections from my smartdashboard console ie IP.And after that it works fine.
Source:my IP
Destination:Firewall
Service :CPMI

You can try this.

Regards
Ranjit

[Speedtre]

Thanks for the suggestion Ranjit...I did that and still now luck... :-(

[Danielpb]

hi Speedtre,

Can you confirm if you have Standalone of distribute setup?

if distribute can you explain the layout ie. where the Mgmt is located to the firewall module.

cheers
Dan

[RayPesek]

Quote:

I've tried unloading the policy from the firewall but it still won't let me connect.

So you ran "fw unloadlocal" on the firewall and you still cannot get connected?

That specifically allows management connections. Are you trying to connect to the internal IP of the firewall or the external IP?

Do you have the implied rules enabled for management connections?

You could always try allowing all IP's to connect to the firewall for management and see what happens. There may be a NAT rule or something getting in the way.

Ray

[Speedtre]

Quote:

Originally Posted by Danielpb

hi Speedtre,

Can you confirm if you have Standalone of distribute setup?

if distribute can you explain the layout ie. where the Mgmt is located to the firewall module.

cheers
Dan

Hey Dan. It's standalone and the mgmt is loaded on the same machine as the fw module.

[Danielpb]

Hi,

Okay so if you do an fw unloadlocal are you now able to ping the firewall/mgmt device?

[Speedtre]

Quote:

Originally Posted by RayPesek

So you ran "fw unloadlocal" on the firewall and you still cannot get connected?

That specifically allows management connections. Are you trying to connect to the internal IP of the firewall or the external IP?

Do you have the implied rules enabled for management connections?

You could always try allowing all IP's to connect to the firewall for management and see what happens. There may be a NAT rule or something getting in the way.

Ray

Yes, ran fw unloadlocal and still get "Connection cannot be initiated. Make sure the server is up and running."

I can't tell what rules I still have in place because I can't view them on the SmartDashboard... :(

[Speedtre]

Quote:

Originally Posted by RayPesek

So you ran "fw unloadlocal" on the firewall and you still cannot get connected?

That specifically allows management connections. Are you trying to connect to the internal IP of the firewall or the external IP?

Do you have the implied rules enabled for management connections?

You could always try allowing all IP's to connect to the firewall for management and see what happens. There may be a NAT rule or something getting in the way.

Ray

Also, I'm trying to connect to the internal IP of the fw

[Speedtre]

Quote:

Originally Posted by Danielpb

Hi,

Okay so if you do an fw unloadlocal are you now able to ping the firewall/mgmt device?

Yes, when I do a fw unload localhost I can ping the FW.

[RobertGraham]

When you unload the policy, you can ping the CheckPoint system, but you can't login?

Have you set the clocks? Sometimes this interfers with the certificate. Check to make sure both the server and client have the clocks synced.

Also, you might want to try doing a cpstop, cpstart. Have you tried this yet?

You could try running netstat -an | grep LIST to see if the CheckPoint server is listening on the CPMI port too.

[Speedtre]

Quote:

Originally Posted by RobertGraham

When you unload the policy, you can ping the CheckPoint system, but you can't login?

Have you set the clocks? Sometimes this interfers with the certificate. Check to make sure both the server and client have the clocks synced.

Also, you might want to try doing a cpstop, cpstart. Have you tried this yet?

You could try running netstat -an | grep LIST to see if the CheckPoint server is listening on the CPMI port too.

No, I haven't set the clocks, I'll check that. I have done cpstart adn cpstop several times....

[Danielpb]

Hi,

If you can ping the firewall/mgmt from your node can you also try a telent on port 18190 (CPMI)....Do you get a Black screen or time out?

A Black screen would indicate the firewall/module is listening to the Check Point Management Interface port and you should be able to make a connection, Are you 100% on the password and user name you are using to connect?

[praful.raut]

Hi users,

I have SPLAT Linx check point managment serevr on vmware and also have the checkpoint management
client NGX R65 on the same machine were Vmware is installed.

To connect to the management station i have to go through the intermediate server so that i can proxy the connection to the management server.
for this connection,I am using the ssh.
we have provision that Intermediate server automatically invoke the management client and
feel the information like username,password,ip address,port when try to connect to management server.

When i tried to connect to the management sever using checkpoint management client through intermediate server it gives an error
"Connection cannot be initiated. Make sure that the server x.x.x.x is up and running and that
you are defined as gui client"
but when i refresh the connection page for the same connection and manually type the password it gets connected.

I dont know why the management client show this pecular behaviour
is there any solution for this.
any help aprreciated

Thanks and Regards,
P Raut

[mcnallym]

If you used Bridged Networking on the VMWare then you can go straight to the Management Server by IP address.

This is what I do at home, where I run SmartCenter in VMWare and a Firewall in a seperate VMWare. I can even relocate the VM to a different machine and works properly.

I suspect the problem is in how your networking is configured in VMWare, are you using NAT or Bridging. I suspect that as you say you need to proxy then is NAT

Use Bridging as the machine then appears to be on the local network as it's own machine, it responds to ping shows up in arp tables etc.

[rugby1725]

Speedtre: Have you tried connecting to the external IP on the firewall with the rulebase unloaded. You should be connecting to the IP that is listed in the IP Address field of your firewall object.

[bolingoman]

Hi there,

Don't ignore doing the simplest thing "cpstop & cpstart" as the first step of troubleshooting CP problems. Believe me, it saves lots of lives.