- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: CA Issues on AWS R81.20 Manager
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CA Issues on AWS R81.20 Manager
I have deployed an EC2 manager from market place image in AWS. I keep running into an issue where it would appear the CA services on the host are not running. Connecting via SmartConsole errors with "Failed to download CRLs". No service appears to be listening on 18264. For example if i attempt to curl google I cannot validate TLS. The same completes if i ignore TLS errors.
The instance is deployed via terraform albeit not directly from the CheckPoint supplied template. It has been extracted but gets passed all the correct and relevant parameters. The cloud_config.log and var/log/messages indicate boot and auto config ok.
[Expert@CP-Management:0]# curl_cli https://www.google.ocm
curl: (6) Couldn't resolve host 'www.google.ocm'
[Expert@CP-Management:0]# curl_cli https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Does anyone have any suggestions?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it the base R81.20 or with some Jumbo take applied?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No hot fixes applied. Booted straight from AMI R81.20-BYOL Management. Runs first time wizard with config from cloud-init/cloud_config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd suggest applying the latest recommended JHF and if the problem persists consulting TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree, good point.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did this twice on aws, but mind you from actual cp template and all worked fine. Not sure, but seems the way you did it definitely differs.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add to this I have now deployed from the CheckPoint provided TF template for management instance and run into the same error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If thats the case, may need to open TAC case to check.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to open more ports. Check it out here:
https://support.checkpoint.com/results/sk/sk119134
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lesly,
I have looked at this article but it doesnt fit. Security groups for the mgmt ec2 are deployed as per template and have the 3 required ports open. Instance used to connect via SC is in the same subnet as Mgmt EC2 and has access on all ports to Mgmt host.
[Expert@mgmt-tf:0]# ss -ntlp | grep '18264\|19009\|18190'
LISTEN 0 20 *:18190 *:* users:(("fwm",pid=5517,fd=42))
LISTEN 0 5 *:18264 *:* users:(("cpca",pid=8137,fd=11))
LISTEN 0 50 *:19009 *:* users:(("java",pid=5802,fd=462))
[Expert@mgmt-tf:0]# curl_cli https://checkpoint.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.