https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258583#M43681 <P>Thanks PhoneBoy, that looks promising, I will try out the commands to adjust the IP on the standby and see how I get on.</P><P><EM>[Expert@FW-01:0]# vsenv 2</EM><BR /><EM>Context is set to Virtual Device (ID 2).</EM><BR /><EM>[Expert@FW-01:2]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254) <STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:2]# vsenv 3</EM><BR /><EM>Context is set to Virtual Device (ID 3).</EM><BR /><EM>[Expert@FW-01:3]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254)&nbsp;<STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:3]# vsenv 4</EM><BR /><EM>Context is set to Virtual Device (ID 4).</EM><BR /><EM>[Expert@FW-01:4]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254)&nbsp;<STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:4]# vsenv 6</EM><BR /><EM>Context is set to Virtual Device (ID 6).</EM><BR /><EM>[Expert@FW-01:6]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (172.x.x.30)&nbsp;<STRONG>CORRECT</STRONG></EM></P> Tue, 30 Sep 2025 15:11:24 GMT P_Williams 2025-09-30T15:11:24Z https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258541#M43675 <P>Hi,</P><P>We have a VSX Cluster that was built nearly 5 years ago and the SIC certificates are expiring in 2026 and in googling how to renew these certificates its becoming clear that it should have done these automatically. I found SK164255 which speaks about SIC not renewing automatically and I found the logs on the firewall</P><P><EM>[CPD 108554 4133026112]@Our-FIREWALL-01[9 Jun 20:48:04] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1.</EM></P><P>In the SK it lists three ports that are used in the process</P><UL><LI>ICA_PULL (port 18210)</LI><LI>ICA_PUSH (port 18211)</LI><LI>ICA_SERVICES (port 18191)</LI></UL><P>And when I looked in the logs for port 18191 I can see that the firewalls are trying to communicate on that port with a host called (worryingly) 'sms-dummy' with a different IP to the SMS we use. As this was a completely new build in 2021 by a 3rd party potentially they have created the environment with a temporary SMS and then later on switched over to current SMS, but the firewalls are left trying to renew SIC to the original IP?</P><P>What are the options that open to us?</P><P>Could I NAT that traffic to the actual SMS?</P><P>Or am I going to have go through the resetting of SIC across the environment?</P><P><A href="https://support.checkpoint.com/results/sk/sk164255" target="_blank">https://support.checkpoint.com/results/sk/sk164255</A></P> Tue, 30 Sep 2025 11:12:43 GMT https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258541#M43675 P_Williams 2025-09-30T11:12:43Z https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258570#M43677 <P>There's an SK for this situation, it appears:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk103356" target="_blank">https://support.checkpoint.com/results/sk/sk103356</A>&nbsp;</P> Tue, 30 Sep 2025 13:49:12 GMT https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258570#M43677 PhoneBoy 2025-09-30T13:49:12Z https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258583#M43681 <P>Thanks PhoneBoy, that looks promising, I will try out the commands to adjust the IP on the standby and see how I get on.</P><P><EM>[Expert@FW-01:0]# vsenv 2</EM><BR /><EM>Context is set to Virtual Device (ID 2).</EM><BR /><EM>[Expert@FW-01:2]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254) <STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:2]# vsenv 3</EM><BR /><EM>Context is set to Virtual Device (ID 3).</EM><BR /><EM>[Expert@FW-01:3]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254)&nbsp;<STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:3]# vsenv 4</EM><BR /><EM>Context is set to Virtual Device (ID 4).</EM><BR /><EM>[Expert@FW-01:4]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (10.253.253.254)&nbsp;<STRONG>INCORRECT</STRONG></EM><BR /><EM>[Expert@FW-01:4]# vsenv 6</EM><BR /><EM>Context is set to Virtual Device (ID 6).</EM><BR /><EM>[Expert@FW-01:6]# grep -i icaip $CPDIR/registry/HKLM_registry.data</EM><BR /><EM>:ICAip (172.x.x.30)&nbsp;<STRONG>CORRECT</STRONG></EM></P> Tue, 30 Sep 2025 15:11:24 GMT https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258583#M43681 P_Williams 2025-09-30T15:11:24Z https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258660#M43695 <P>Not sure if you ever enabled below on mgmt server, but might be worth doing it.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk30501" target="_blank">https://support.checkpoint.com/results/sk/sk30501</A></P> Wed, 01 Oct 2025 10:35:01 GMT https://community.checkpoint.com/t5/General-Topics/SIC-not-automatically-renewing-certificate-in-VSX/m-p/258660#M43695 the_rock 2025-10-01T10:35:01Z