Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Checkpoint Firewall Manager and FW (SPLAT) SIC error

Posted on 2008-09-30
4
Medium Priority
?
5,836 Views
Last Modified: 2013-11-16
hello all,

When I am trying to apply a policy to firewall members, it fails. I believe it is due to SIC problem. When a communication SIC test is undertaken I receive the following message:

"SIC Status for SAUSFW01: Not Communicating
Internal SSL authentication error [ Certificate expired]"

Do i need to a new certificate? or there something else that might be causing this problem?

thanks
0
Comment
Question by:sheepsheep
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 750 total points
ID: 22612441
Which node is giving the SSL cert error?  Is it the firewall or the management server?

If its the firewall and you are using a full public SSL cert (ie from comodo etc) then renew the cert via the providers means.

If not, then you should be able to renew the GW cert via dashboard by going to :

VPN > Certs > click on the VPN cert and select "renew".

This should renew the cert with the ICA on the smartcentre and the error "should" go away.

If it does not, then you will need to reset SOC between firewall and management server as follows:

1.  On firewall, run cpconfig, sleect SIC
2.  Jump through the hoops to reset sic and set a new one time password

NOTE : This will kill all comms with the management server but will NOT stop processing traffic!!!!

3.  ON smartcentre dashboard, select the GW object and click on the communications button.
4.  In resulting window, click reset.
5.  Enter the OTP as set in 2
6.  If all goes well, they will be communication.

I always test the connection again, just to make sure.

Once they are all talking, you should be able to push policy
0
 

Author Comment

by:sheepsheep
ID: 22612926
Thanks Delmark.

I am assuming it is the firewall member(s)? - after I log into SMARTDashboard and click on the firewall member > properties > Communication > Test SIC , I receive this error. How can I tell if it is the firewall or manager?

How might I view the firewall and manager certifications to check the expiration dates and signing authority?
0
 
LVL 18

Expert Comment

by:deimark
ID: 22613219
OK, thats a bit more info :P

If its the gateway object you see the SIC error, then its the GW thats at fault here.

SIC is normally related to an internally generated certificate from the ICA on the management server (the management server is the one that you connect to using smartdashboard

Note, the management system can ALSO be installed on the firewall.  These installs are called standalone, ie all the systems you need to run the set up is on one box

On the GW object VPN tab, this should list all the certs as issued.  CP can only have one cert per CA, so I assume that you should have 2 listed there.

The defaultcert as issued by the ICA and a full SSL cert as issued by comodo, geotrust etc.

If you click on "view cert" while highlighting one, it will open up and give you all the details you need re expiry etc

Let me know how that goes
0
 

Author Closing Comment

by:sheepsheep
ID: 31501832
Thanks Deimark. A  reset of SOC between firewall and management server was needed. Issue resolved.
0

Featured Post

Protect Your Retail Business and Reputatio

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for a webinar on Sept. 28th to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question