obsidiman
asked on
"Connection cannot be initiated" error when trying to connect to a smartcenter server.
I cannot connect from my client pc with smartcenter software installed, e.g. Dashboard, to by Checkpoint management server. I get an error of "connection cannot be initiated. Make sure the Server x.x.x.x is up and running".
I have been connecting just fine for around 3 years, then about a month ago it stopped working. So what changed, well I did upgrade the client from W2K server to W2003. But I did manage to connect ok immediately after the upgrade, but now cannot. I have reinstalled the smartdashboard software on that client machine and also on another and still cannot connect to the smartcenter server. And yes, I have ensured that cpconfig has the correct ip addresses configured in it. Double checked.
The smartcenter server runs on an IP330 with NG FP3 installed. I am a little concerned as I cannot alter or view anything on the smartcenter server...Help!
I have been connecting just fine for around 3 years, then about a month ago it stopped working. So what changed, well I did upgrade the client from W2K server to W2003. But I did manage to connect ok immediately after the upgrade, but now cannot. I have reinstalled the smartdashboard software on that client machine and also on another and still cannot connect to the smartcenter server. And yes, I have ensured that cpconfig has the correct ip addresses configured in it. Double checked.
The smartcenter server runs on an IP330 with NG FP3 installed. I am a little concerned as I cannot alter or view anything on the smartcenter server...Help!
ASKER
The clients do not have FW installed on them. Just the smartcenter server.
Yes, can see the server, can scp to it.
Yes, as stated double checked that gui client is defined.
Log file interesting. There are many, many entries saying basically the following:
[FWM 9500]@UK-FW-01.UK.CADOMAIN
Another manager is running
So, I think that this may be the source of the problem. Don't know how to fix though. Can you tell me what to stop?
Yes, can see the server, can scp to it.
Yes, as stated double checked that gui client is defined.
Log file interesting. There are many, many entries saying basically the following:
[FWM 9500]@UK-FW-01.UK.CADOMAIN
Another manager is running
So, I think that this may be the source of the problem. Don't know how to fix though. Can you tell me what to stop?
Ignore this, "Another manager is running"
That's not the problem.
Can you put the file on a ftp server or something?
That's not the problem.
Can you put the file on a ftp server or something?
ASKER
Sorry for the delay Dooglave. I do not have a handy ftp server to post the file onto, but could email it to you if you want. (though it is almost exclusively the same error message repeated). Can you give me an email address to use?
Hi
check the time and date in the client and the checkpoint smartcenter box,
check the time and date in the client and the checkpoint smartcenter box,
ASKER
I believe the time is off on the IP330 by around 45 minutes. If you think this could be an issue, how can you set it via the command prompt?
HI.
Sysconfig command. or with command date but prefer th sysconfig.
Sysconfig command. or with command date but prefer th sysconfig.
ASKER
sysconfig command doesn't work (match not found) and date is tricky.
I get this output from hitting date -h:
date: illegal option -- h
usage: date [-nu] [-d dst] [-r seconds] [-t west] [+format]
[yy[mm[dd[hh]]]]mm[.ss]]
any suggestion on how to phrase the command to set the time. I didn't want to just go ahead with some trial and error, and couldn't find any suggestions on the web for the date command that uses this format.
Thanks
I get this output from hitting date -h:
date: illegal option -- h
usage: date [-nu] [-d dst] [-r seconds] [-t west] [+format]
[yy[mm[dd[hh]]]]mm[.ss]]
any suggestion on how to phrase the command to set the time. I didn't want to just go ahead with some trial and error, and couldn't find any suggestions on the web for the date command that uses this format.
Thanks
ASKER
I changed it in voyager, but still no joy. Any other suggestions?
I had the same issue with R55 NG w/AI, and it corrected with cpstop/cpstart. After this the SIC was changed and SmartDashboard wanted me to either reject or accept the new SIC. This is by design if you check it from Checkpoint.
According to the Checkpoint article the internal certificate was past 75% of its lifetime or it was corrupted. Other reasons for it to change are licensing changes and ip address or object name of SmartCenter server changed.
According to the Checkpoint article the internal certificate was past 75% of its lifetime or it was corrupted. Other reasons for it to change are licensing changes and ip address or object name of SmartCenter server changed.
ASKER
ok will book some down time to try it out. Will let you know how it turns out.
ASKER
OK, that didn't work, BUT I found out something interesting. While it was restarting it says something like:
Installing Security Policy policy-name on all.all@fwname.subdoman.do
where fwname = name of firewall, subdomain = name of subdomain, and domain = well, you get the idea. Now, the subdomain doesn't exist any more, in fact this has been a problem since removing the subdomain...which I guess is a major clue. But how to fix? I tried a cpconfig and changing the certificate to reflect the FQDN, but that didn't work.
Basically, my guess is that it still thinks it can only be talked to by a machine on the old network (which is gone, gone, gone, not coming back, no way), so I need it to realise that it is now on the new network, i.e. domain.local, not subdomain.domain.local. But how? Any clues?
Installing Security Policy policy-name on all.all@fwname.subdoman.do
where fwname = name of firewall, subdomain = name of subdomain, and domain = well, you get the idea. Now, the subdomain doesn't exist any more, in fact this has been a problem since removing the subdomain...which I guess is a major clue. But how to fix? I tried a cpconfig and changing the certificate to reflect the FQDN, but that didn't work.
Basically, my guess is that it still thinks it can only be talked to by a machine on the old network (which is gone, gone, gone, not coming back, no way), so I need it to realise that it is now on the new network, i.e. domain.local, not subdomain.domain.local. But how? Any clues?
Mine doesn't bother with the domain part, but tells me it is installing to gw.local. All in all it just installs to a firewall object configured in smartdashboard. And that name can be anything, even not resolvable. Anyway the configured management stations can be told in ip addresses and names - how have you configured them in cpconfig? And if you are using names, do they resolve at the DNS server your FW is using?
And related to your information about the fwname.subdomain.domain.lo
If the SIC is correct and the mgmt station is configured correctly to cpconfig, the next guess would be a rule in rulebase which still prevents anything from connecting to your fw. Control connections can be enabled in global properties (I'm not sure I remember this correctly) and in rule base. If they are not enabled in properties, it might be that your connection is blocked by the fw itself. This can be verified with the telnet command to the port answering smartdashboard calls. If it is open to your ip, telnet lets you enter something to the screen before dropping the connection.
And related to your information about the fwname.subdomain.domain.lo
If the SIC is correct and the mgmt station is configured correctly to cpconfig, the next guess would be a rule in rulebase which still prevents anything from connecting to your fw. Control connections can be enabled in global properties (I'm not sure I remember this correctly) and in rule base. If they are not enabled in properties, it might be that your connection is blocked by the fw itself. This can be verified with the telnet command to the port answering smartdashboard calls. If it is open to your ip, telnet lets you enter something to the screen before dropping the connection.
ASKER
The management clients are ip addresses.
I can't remember what the name is in smartdashboard, but I think it is just fwname. Could easily be wrong here.
Any idea what the port would be to answer smartdashboard calls. A quick look in google didn't tell me the likely port number.
I can't remember what the name is in smartdashboard, but I think it is just fwname. Could easily be wrong here.
Any idea what the port would be to answer smartdashboard calls. A quick look in google didn't tell me the likely port number.
The port seems to be 18190, sorry that I forgot to mention that.
ASKER
Yep the telnet connected. Got about 5-6 seconds of blank screen as per a usual successful telnet to port number would give.
So the port is open. Can you create a new securemote site to some client to verify that the SIC is as before? I think that it showed it in the creation part, but I'm not sure.
ASKER
Hi Sohannin, not sure exactly what you mean. We use securemote to connect in to the FW on our clients from the outside world, but that is not what you mean is it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sohannin, I have resolved this! I simply rebooted after taking a backup. This also fixed a couple of other weird things, like chmod not working even though it was in my path. (I had to explicetly tell it where to run from when I needed to access it) So, it may well have been to do with the internal certificate and general fuzziness on the part of the FW.
I shall award you points as you were most helpful in narrowing down the possibilities, staying through thick and thin, and probably being on the right track with the SIC. Thanks, Pete.
I shall award you points as you were most helpful in narrowing down the possibilities, staying through thick and thin, and probably being on the right track with the SIC. Thanks, Pete.
Thanks for telling your solution, since that wasn't part of my list. I hope someone else will benefit from these experiments.
ok i'm havin' the same problem like obsidiman but the sic was not renewed and it will not be for 3 years
from what i can tell
I have the smartcenter server installed on a win2k3 and a nokia ip265 i'm trying to connect to the server from itself.
And another question this equipment is inherited from my predecessor and i dont know how it was installed.is there a possibility to change the management ip because ton my license says that the management ip is 172.16.1.1 and i have this smartcenter install and licensed to 172.16.1.6?
from what i can tell
I have the smartcenter server installed on a win2k3 and a nokia ip265 i'm trying to connect to the server from itself.
And another question this equipment is inherited from my predecessor and i dont know how it was installed.is there a possibility to change the management ip because ton my license says that the management ip is 172.16.1.1 and i have this smartcenter install and licensed to 172.16.1.6?
>ok i'm havin' the same problem like obsidiman but the sic was not renewed and it will not be for 3 years
> from what i can tell
It can still be corrupted, as is stated above. Or then your smartcenter server is not allowed to connect to the firewall.
> I have the smartcenter server installed on a win2k3 and a nokia ip265 i'm trying to connect to the
> server from itself.
You are trying to connect to the mgmt station which is on w2k3? Nokia is just running the enforcement module? Just to clarify things..
> installed.is there a possibility to change the management ip because ton my license says that the
> management ip is 172.16.1.1 and i have this smartcenter install and licensed to 172.16.1.6?
If I remember correctly, only the enforcement module is licensed to an ip address. I could have installed my smartcenter client and server to any ip address I wanted, if just the access control list of the gateway itself is correct. What are the ip's of the nokia?
> from what i can tell
It can still be corrupted, as is stated above. Or then your smartcenter server is not allowed to connect to the firewall.
> I have the smartcenter server installed on a win2k3 and a nokia ip265 i'm trying to connect to the
> server from itself.
You are trying to connect to the mgmt station which is on w2k3? Nokia is just running the enforcement module? Just to clarify things..
> installed.is there a possibility to change the management ip because ton my license says that the
> management ip is 172.16.1.1 and i have this smartcenter install and licensed to 172.16.1.6?
If I remember correctly, only the enforcement module is licensed to an ip address. I could have installed my smartcenter client and server to any ip address I wanted, if just the access control list of the gateway itself is correct. What are the ip's of the nokia?
Module IP: 172.16.1.1
Version: NGX
Expiration Date: 31-DEC-9999
Management IP: 172.16.1.1
Version: NGX
Expiration Date: 31-DEC-9999
and i have the smartcenter server and client on a 2k3 with ip 172.16.1.6 wich is also a pdc, and on pdc
at cpconfig the SKU is the same like the one from management ip, but for 172.16.1.6
if i telnet 172.16.1.6 on 18190 is ok and the smartcenter server i checked is ok but still "Connection cannot be initiated"
Version: NGX
Expiration Date: 31-DEC-9999
Management IP: 172.16.1.1
Version: NGX
Expiration Date: 31-DEC-9999
and i have the smartcenter server and client on a 2k3 with ip 172.16.1.6 wich is also a pdc, and on pdc
at cpconfig the SKU is the same like the one from management ip, but for 172.16.1.6
if i telnet 172.16.1.6 on 18190 is ok and the smartcenter server i checked is ok but still "Connection cannot be initiated"
Can you Ping it from your GUI Client and from your GUI Client to the Server?
Did you double check that you are defined as a GUI Client?
Look in your log file and see what it says about you login attempts: $FWDIR/log/fwm.elg