CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: a very strange issue today

  1. #1
    Join Date
    2006-09-26
    Posts
    3,164
    Rep Power
    16

    Default a very strange issue today

    I am running Provider-1 R77.30 with JHFA205 on Open Servers and it's been running fine for over 18 months.

    Today, when I login into the P-1 via the Dashboard, it prompts me for a new Fingerprint and asked me to accept it.

    I have an automated process where I copy the mds_backup of the production P-1 and move it into my lab environment where I can verify that everything is OK every three days. In the lab environment, it also asked me for a new fingerprint when log into P-1 on the lab side. NO CHANGE ON THE PRODUCTION FOR THAT PAST 18 MONTHS.

    Can anyone explain why it behaves this way?

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: a very strange issue today

    Did the fingerprint actually change, or is it just prompting you to accept the same fingerprint again? If the latter, it could be some kind of client-side issue. If the former, maybe something caused your ICA to be reissued.

    What do the validity dates look like on the ICA?
    Zimmie

  3. #3
    Join Date
    2006-09-26
    Posts
    3,164
    Rep Power
    16

    Default Re: a very strange issue today

    Quote Originally Posted by Bob_Zimmerman View Post
    Did the fingerprint actually change, or is it just prompting you to accept the same fingerprint again? If the latter, it could be some kind of client-side issue. If the former, maybe something caused your ICA to be reissued.

    What do the validity dates look like on the ICA?

    yes, the fingerprint actually changes. The validity dates look the same.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: a very strange issue today

    Is there anything interesting in the $CPDIR/log/cpd.elg? It records a lot of ICA operations regardless of whether debugging is enabled.
    Zimmie

  5. #5
    Join Date
    2006-09-26
    Posts
    3,164
    Rep Power
    16

    Default Re: a very strange issue today

    Quote Originally Posted by Bob_Zimmerman View Post
    Is there anything interesting in the $CPDIR/log/cpd.elg? It records a lot of ICA operations regardless of whether debugging is enabled.
    this is what I am seeing in the log, among other things. It is definitely related to the fingerprint. I think the cert gets regenerated.

    [CPD 23194 2013005504]@p1[18 Jul 12:44:16] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 23194 2013005504]@p1[18 Jul 12:44:16] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 11739 2012559040]@p1[20 Jul 10:58:36] SIC certificate read successfully
    [CPD 11739 2012559040]@p1[20 Jul 10:58:36] SIC certificate renewal time:
    [CPD 11739 2012559040]@p1[20 Jul 10:58:36] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 11739 2012559040]@p1[20 Jul 10:58:36] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 27975 2012489408]@p1[22 Jul 20:57:39] SIC certificate read successfully
    [CPD 27975 2012489408]@p1[22 Jul 20:57:40] SIC certificate renewal time:
    [CPD 27975 2012489408]@p1[22 Jul 20:57:40] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 27975 2012489408]@p1[22 Jul 20:57:40] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 27472 2012321472]@p1[25 Jul 13:06:56] SIC certificate read successfully
    [CPD 27472 2012321472]@p1[25 Jul 13:06:56] SIC certificate renewal time:
    [CPD 27472 2012321472]@p1[25 Jul 13:06:56] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 27472 2012321472]@p1[25 Jul 13:06:56] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 18981 2012939968]@p1[27 Jul 13:08:03] SIC certificate read successfully
    [CPD 18981 2012939968]@p1[27 Jul 13:08:03] SIC certificate renewal time:
    [CPD 18981 2012939968]@p1[27 Jul 13:08:03] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 18981 2012939968]@p1[27 Jul 13:08:03] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 29137 2013066944]@p1[30 Jul 10:42:21] SIC certificate read successfully
    [CPD 29137 2013066944]@p1[30 Jul 10:42:21] SIC certificate renewal time:
    [CPD 29137 2013066944]@p1[30 Jul 10:42:21] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 29137 2013066944]@p1[30 Jul 10:42:21] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 21080 2012538560]@p1[1 Aug 10:54:57] SIC certificate read successfully
    [CPD 21080 2012538560]@p1[1 Aug 10:54:57] SIC certificate renewal time:
    [CPD 21080 2012538560]@p1[1 Aug 10:54:57] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 21080 2012538560]@p1[1 Aug 10:54:57] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 21080 2012538560]@p1[2 Aug 2:09:36] SIC certificate renewal time:
    [CPD 21080 2012538560]@p1[2 Aug 2:09:36] certificate not before : Sat Nov 1 14:09:36 2014
    [CPD 21080 2012538560]@p1[2 Aug 2:09:36] certificate not after : Fri Nov 1 14:09:36 2019
    [CPD 21080 2012538560]@p1[2 Aug 2:09:37] SIC certificate read successfully
    [CPD 21080 2012538560]@p1[2 Aug 2:09:37] SIC certificate renewal time:
    [CPD 21080 2012538560]@p1[2 Aug 2:09:37] certificate not before : Wed Aug 1 02:09:37 2018
    [CPD 21080 2012538560]@p1[2 Aug 2:09:37] certificate not after : Tue Aug 1 02:09:37 2023
    [CPD 14581 2012292800]@p1[3 Aug 11:45:22] SIC certificate read successfully
    [CPD 14581 2012292800]@p1[3 Aug 11:45:22] SIC certificate renewal time:
    [CPD 14581 2012292800]@p1[3 Aug 11:45:22] certificate not before : Wed Aug 1 02:09:37 2018
    [CPD 14581 2012292800]@p1[3 Aug 11:45:22] certificate not after : Tue Aug 1 02:09:37 2023

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: a very strange issue today

    Ah. Yeah. Thatís exactly what happened. When the ICA gets to a certain percentage of its lifespan, it tries to renew itself to prevent hard expiration. Looks like it happens a little before 80%.

    This does remind me, though. I hope Check Point switches to a platform with 64-bit time_t before too much longer. 2038 is coming up quickly, and the ICA signs itself for several years.
    Zimmie

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: a very strange issue today

    In a stunning show of happenstance, one of my SmartCenters decided to renew its ICA over the weekend. Same behavior.
    Zimmie

Similar Threads

  1. I have very strange issue. Need help !!!
    By cciesec2006 in forum Provider-1 (Multi-Domain Management)
    Replies: 6
    Last Post: 2014-07-11, 10:23
  2. Strange Issue with ClusterXL
    By lammbo in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 57
    Last Post: 2011-07-11, 06:45
  3. Strange NAT issue
    By sb_23 in forum NAT (Network Address Translation)
    Replies: 8
    Last Post: 2009-12-17, 21:55
  4. Strange issue in TCP timeout
    By munit_si@yahoo.com in forum Authentication
    Replies: 2
    Last Post: 2006-10-31, 18:55
  5. A strange thing happened today
    By tdvit in forum Management High Availability
    Replies: 2
    Last Post: 2006-08-30, 04:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •