PDA

View Full Version : SG80 Issue



member054
2010-11-26, 14:15
Hello all,

I'm unsure if this is an SG80 issue or something else, but I'll start here.

I've received an SG80 and it's connected to the internet in a remote office. I've established SIC fine and can retrieve topology, however when the device attempts to load its policy it fails. The logs on the device show it sending a CPD packet, to the correct external IP of the SmartCenter, but the next packet... FW1_ela is going to the internal IP of the SmartCenter.

SmartCenter NAT is an automatic static rule, and works fine for all our other gateways.

If I perform a "fw fetch <external IP>" it will successfully fetch & load the policy, however VPN tunnels can't establish because the SG80 can't retrieve peer certificates from the SmartCenter.

I have my CP support people looking into this but it's urgent I get it resolved this weekend - does anyone have any ideas or seen an issue like this?

I should also point out that I've got hosts entries for our SmartCenter to its public IP and tried manual NAT rules.

SG80 is R71 & SmartCenter is 71.20...

Thanks for any help...

Thorpuse
2010-11-27, 08:17
There's a number of ways to fix this -

- In the SC object, there are NAT options for Management traffic. Setting these should ensure that the gateway gets the right IP for management traffic. Note the word should - I've seen this not work before.

- Create a Secondary Management object, with the Public IP of the Management Server. This should populate the GW to receive policies from the public IP.

- If the above options fail, manually edit the $FWDIR/conf/masters file on the gateway, and add the Public IP of the Gateway for Management and logging. Make sure that you also change the properties in the Gateway object in the SmartDashboard so that it knows to use the local masters definitions.

Unless there is something unique about the SG80 (which I doubt for this sort of usage), one of these methods will work.

Good luck.

abusharif
2010-11-27, 08:29
There's a number of ways to fix this -

- In the SC object, there are NAT options for Management traffic. Setting these should ensure that the gateway gets the right IP for management traffic. Note the word should - I've seen this not work before.

- Create a Secondary Management object, with the Public IP of the Management Server. This should populate the GW to receive policies from the public IP.

- If the above options fail, manually edit the $FWDIR/conf/masters file on the gateway, and add the Public IP of the Gateway for Management and logging. Make sure that you also change the properties in the Gateway object in the SmartDashboard so that it knows to use the local masters definitions.

Unless there is something unique about the SG80 (which I doubt for this sort of usage), one of these methods will work.

Good luck.

Correct as usual :)

I just feel the urge to ventilate some thoughts regarding this.
NAT on SC object is useless (as we all know) so depending on setup you always end up hacking masters file or creating "dummy" smartcenter objects, which quite frankly sucks. You end up with loads of crap in Smartview monitor, Audit logs because of this, non centralized "hacks" etc.
And also running SC HA is crap since it will always try all SC objects, causing both delay due to timeout and crap information in logs.
I hope one day "NAT" function will actually work as its suposed to (at least in my head).
Most of the issues can be corrected with some nice manual NAT-ing, unless you use implied rules for CP communications (which is popular nowdays)

member054
2010-11-29, 09:42
Thanks for your comments.

Our CES partner investigated for a few hours this morning to confirm the issue. They ran through the SK articles you've mentioned about dummy SC's, manual hosts entries etc, which I'd also already tried before posting.

The issue still stands so it's being logged with CP...

Thorpuse
2010-11-30, 03:55
Hacking the masters file should definitely work - you just have to remember to edit the gateway object to use local difinitions for masters, otherwise it doesn't look at your local modifications.

However, I do recall a bug I found with Certificate Registration failing with SNX when the SmartCenter was behind a NATted IP. If your issue is VPN related but not policy install related, you may need to check this as well. Mind you, that bug is over 2 years old. I would hope that CP would have committed a fix for that by now, but it wouldn't be the first time they've left a known bug in the code for that long.

member054
2010-12-10, 13:47
Just thought I'd give an update for anyone looking to get an S80.

After logging this with our CES it was escalated to Check Point directly, who have duplicated the issue in their testing/labs. They also ran through the dummy SC, hosts files etc 'fixes' in our production environment without success...

Our environment is: SG82 with R71 & R71.2 SC behind a R70.20 firewall...

fedup
2011-03-02, 14:40
Did this ever get resolved? I believe I've got the same issue and Checkpoint support has been unable to resolve the issue. I can establish SIC, get topology information, but not push policy to my SG86s.

Nevidonas
2013-10-20, 14:51
So, how did you manage this problem? I think we got same problem.

PhoneBoy
2013-10-21, 08:06
I know there's been some work done around this in the current R75.20.26 release.
If you're still running an R71-based release, you may wish to consider upgrading.

Nevidonas
2014-02-03, 16:00
I even did upgrade to R75.20.42 but still have problems with VPN establishment.