Cert based VPN

[dub_boy2k]

Guys,

I'm having a major issue with cert based VPN's.

I have two firewall clusters in seperate countries, all managed by one mgt server.

I'm getting a invalid cert message log on the remote VPN. The modules are SIC and policy can be pushed. The VPN rule is setup correctly

In relation to this,

Can someone provide me with steps to make this work so I'll hopefully I'll find out where I'm going wrong.

[Routerkid1]

I would reset sic.

[msjouw]

Double check routing from the local gateway back to the management server (SCS), did you recently change anything there regarding routing, specially about 3-5 days ago?

Sounds like a similar issue I had with asymmetric routing, the gateways were managed from the external IP but the route to the management server was pointing to the internal network (in our environment this is possible).

The local gateway will try to connect to the SCS and when the connection is made from any other IP than the gateway object's IP it will not accept the connection on the SCS. The cache on the local gateway is somewhere between 3-5 days.

There is a specific port it uses to check the certs with the SCS and I don't know anymore which one it is. You could run a tcpdump looking for this port on the SCS.

Do keep in mind that when the SCS initiates traffic to the gateway it will be ok.

[dub_boy2k]

Lads

Solution was to NAT the mgt server with the private IP addres behind a pubic IP.

Create a dummy checkpoint node, set up as secondary mgt server, create the correct NAT rules and bobsyour uncle and fannys your aunt

Thanks

dub