topic Re: Not able to renew the defaultcert on firewall in SASE and Remote Access

Not able to renew the defaultcert on firewall

socteam_gsi — Sat, 10 Apr 2021 12:34:29 GMT

Hello ,

We are not able to renew/ view the defaultcert on the firewall .

When we are going to view the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> view

error message : Failed to read the certificate from database

When we are going to renew the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> renew >> generated keys and get internal certificate >> OK

error message : generated keys not found in the database .

We come to know this issue when tunnel was not forming between two checkpoint gateways connected on the same management server . In the logs , We were able to see that due to certificate error phase1 key not installed .

Please note that SIC is established with mgmt server and ntp working porperly .

Can someone assist me on this !!!

Re: Not able to renew the defaultcert on firewall

genisis__ — Sat, 10 Apr 2021 13:06:58 GMT

Check sk108966, sounds like a corruption in the ICA.

Re: Not able to renew the defaultcert on firewall

PhoneBoy — Sat, 10 Apr 2021 16:48:40 GMT

That sounds like ICA corruption and I’d get the TAC to assist here.

Re: Not able to renew the defaultcert on firewall

the_rock — Sun, 11 Apr 2021 04:00:02 GMT

Definitely looks like ICA corruption...I cant say for sure if sk genesis provided is any better than doing fwm sic_reset, but looks to me its what you sadly have to follow. I cant see any better options here mate, sorry...

Re: Not able to renew the defaultcert on firewall

socteam_gsi — Sun, 11 Apr 2021 13:26:01 GMT

could you please assist us on how to proceed this issue .

Since , there are 18 firewalls which are connected to same management server but we are facing only issue to single firewall hence we are suspecting this issue is more related to firewall end or certificate related issue .

Re: Not able to renew the defaultcert on firewall

PhoneBoy — Mon, 12 Apr 2021 03:46:31 GMT

This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:

Change the gateway name and object main IP to something else.
Create a new gateway object for the gateway in question, migrating all the relevant settings.
Use "where used" to find occurrences of old gateway object and replace with new.
Reset SIC on the impacted gateway: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86521
Push policy

Assuming that works, you can then delete the old object (hopefully).

But, like I said, I recommend engaging with the TAC.