Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5877
  • Last Modified:

Checkpoint Firewall Manager and FW (SPLAT) SIC error

hello all,

When I am trying to apply a policy to firewall members, it fails. I believe it is due to SIC problem. When a communication SIC test is undertaken I receive the following message:

"SIC Status for SAUSFW01: Not Communicating
Internal SSL authentication error [ Certificate expired]"

Do i need to a new certificate? or there something else that might be causing this problem?

thanks
0
sheepsheep
Asked:
sheepsheep
  • 2
  • 2
1 Solution
 
deimarkCommented:
Which node is giving the SSL cert error?  Is it the firewall or the management server?

If its the firewall and you are using a full public SSL cert (ie from comodo etc) then renew the cert via the providers means.

If not, then you should be able to renew the GW cert via dashboard by going to :

VPN > Certs > click on the VPN cert and select "renew".

This should renew the cert with the ICA on the smartcentre and the error "should" go away.

If it does not, then you will need to reset SOC between firewall and management server as follows:

1.  On firewall, run cpconfig, sleect SIC
2.  Jump through the hoops to reset sic and set a new one time password

NOTE : This will kill all comms with the management server but will NOT stop processing traffic!!!!

3.  ON smartcentre dashboard, select the GW object and click on the communications button.
4.  In resulting window, click reset.
5.  Enter the OTP as set in 2
6.  If all goes well, they will be communication.

I always test the connection again, just to make sure.

Once they are all talking, you should be able to push policy
0
 
sheepsheepAuthor Commented:
Thanks Delmark.

I am assuming it is the firewall member(s)? - after I log into SMARTDashboard and click on the firewall member > properties > Communication > Test SIC , I receive this error. How can I tell if it is the firewall or manager?

How might I view the firewall and manager certifications to check the expiration dates and signing authority?
0
 
deimarkCommented:
OK, thats a bit more info :P

If its the gateway object you see the SIC error, then its the GW thats at fault here.

SIC is normally related to an internally generated certificate from the ICA on the management server (the management server is the one that you connect to using smartdashboard

Note, the management system can ALSO be installed on the firewall.  These installs are called standalone, ie all the systems you need to run the set up is on one box

On the GW object VPN tab, this should list all the certs as issued.  CP can only have one cert per CA, so I assume that you should have 2 listed there.

The defaultcert as issued by the ICA and a full SSL cert as issued by comodo, geotrust etc.

If you click on "view cert" while highlighting one, it will open up and give you all the details you need re expiry etc

Let me know how that goes
0
 
sheepsheepAuthor Commented:
Thanks Deimark. A  reset of SOC between firewall and management server was needed. Issue resolved.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now