View Full Version : Cannot create new site after License change

2006-09-19, 19:36
Hi everyone, I have a Checkpoint Firewall-1 VPN-1 NG FP3 box running on Windows 2000 server.
I recently had to shift IPs over to another provider because of a move.
I removed the old licenses and changed the external IP of the firewall.

Now when I try to create a new site in SecureClient/SecureRemote to the IP it doesn't work and tells me

Error: Communication to the site xxx failed

Meanwhile attempts to establish a VPN to the DMZ and Internal NIC works fine. Did something happen? What am I doing wrong?

2006-09-20, 02:01
On the firewall itself, do you see any traffic going to/from the client?

Jahk Nah Rai
2006-09-20, 04:33
When I use Standard method for example, the log shows FW_topo from my machine to the firewall as accepted but no IKE response. Strangely enough I see dropped entries for https from my machine to the firewall......

On the firewall itself, do you see any traffic going to/from the client?

2006-09-20, 05:08
https is probably visitor mode - is your client configured to fall back to that?

What traffic is actually occurring on your firewall, at a network level? Not what's in the logs, but what is going out on the wire?

After changing the external IP, did you restart Check Point? It's possible that it's still replying with the old IP address. What was the process you went through for changing the IP address?

Jahk Nah Rai
2006-09-20, 05:28
I'm not sure as I have not used any packet sniffers yet.
I use Office Mode but its possible the SecureRemote client has Visitor mode checked off.
I read in another thread how one guy removed NAT from internal objects and got it working again.
Don't know if that will work for me.

What I did was:

Change the NIC IPs
Remove old licenses using Configuration mgr
Added new licenses
Regenerate seed
Alter network objects and firewall topology

Another thing I notice was that when Getting Topology of the firewall it keeps defaulting to the IP of the DMZ's IP instead of the External IP

2006-09-20, 05:33
So have you restarted Check Point at any point? And what's the bit about regenerating the seed? I'm not sure why you would need/want to do that.

I don't quite understand about the issue with getting topology either - this doesn't change the primary IP address of the object, as I recall. Not that I ever bother with getting topology, I've never really seen the point. Better to just define it myself.

You need to learn how to look at network traffic for better Check Point troubleshooting. The logs don't tell you the whole story.

Jahk Nah Rai
2006-09-20, 05:39
Yes I have restarted the firewall after making the license change.
I wasn't sure about whether I should do all that with seed regeneration. Should I sniff for traffic Between the firewall and the client?

2006-09-20, 06:04
Yes. Although the traffic will be encrypted, you can still learn from traffic analysis. Look to see if the firewall is responding with the correct IP address - or responding at all, for that matter.

2006-09-20, 06:50
Update host entries if you are getting wrong ip address

Jahk Nah Rai
2006-09-20, 12:44
Update host entries if you are getting wrong ip address

Which entries are you referring to?

2006-09-20, 14:09
Most likely dbedit's referring to windows\system32\drivers\etc\hosts having the correct IP/hostname on your firewall.

Although IIRC, Windows doesn't usually have the hostname in there. I'm not a Windows admin though, and can't see the point in running it as a firewall.

Any luck with getting some network traces?

Jahk Nah Rai
2006-09-20, 14:20
No but I fixed it. I searched the forums here and there was another guy who had experienced the same issues.
As it turns out, one internal IP was statically (and erroneously) NAT'd to the External NIC of the firewall. That was the problem! Topology and IKE traffic were basically falling into a black hole!
I removed that and everything worked!

2006-09-20, 14:34
Enforcement module(FW).Maybe old entries in C:\WINDOWS\system32\drivers\etc\hosts.