Solved: Re: SIC error 325 on Install Policy — R82.10 Cross...

Neetu139755

Hello,

Machine: MacOS

Smart Console accessed via Browser: https://private-ip/smartconsole

P12 certificate is delivered to gateways (confirmed by file timestamp matching fwm.elg push time).
SIC trust establishes ("SIC has successfully been established" in CME log).
But Install Policy always fails: "SIC General Failure [SIC error no. 325]"
cprid_util returns NULL BUF despite P12 on gateway and cpd restarted.

Resource details:
- Management: i-049317431c69b7015 / 10.0.2.155 (R82.10-PAYG, private subnet)
- Gateway A: i-0d73aecbba3a998ad / 10.0.3.6 (R82.10-PAYG-NGTP, c6in.xlarge)
- Gateway B: i-078cc9e1b64f1c34e / 10.0.3.22 (R82.10-PAYG-NGTP, c6in.xlarge)
- SIC key: LeFWexKcPbtZO1zR
CME configured with autoprov_cfg, using x-chkp-ip-address tag for private IPs.

Logs available: fwm.elg, cpd.elg, cme.log
Instances have been retained if you need them for investigation.

==========================================
1. fwm.elg log
[Expert@mgmt-aws:0]# grep "p12" $FWDIR/log/fwm.elg | tail -50
[FWM 46310]@mgmt-aws[26 Mar 17:49:35] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 3.225.56.84
[FWM 46310]@mgmt-aws[26 Mar 17:51:28] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 3.225.56.84
[FWM 46310]@mgmt-aws[26 Mar 17:51:49] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 34.235.246.180
[FWM 46310]@mgmt-aws[26 Mar 18:02:46] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 10.0.3.4
[FWM 46310]@mgmt-aws[26 Mar 18:02:58] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 10.0.3.22
[FWM 46310]@mgmt-aws[26 Mar 19:59:09] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 10.0.3.6
[FWM 46310]@mgmt-aws[26 Mar 20:01:00] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 10.0.3.6
[FWM 46310]@mgmt-aws[26 Mar 20:01:21] fwca_client_push_p12_cb: trying to send p12 to entity. IP is 10.0.3.22

==========================================

2. cpd.elg log
[Expert@mgmt-aws:0]# tail -30 $CPDIR/log/cpd.elg
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:14] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:14] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:14] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:27] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:27] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:32:27] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:12] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:12] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:12] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:25] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:25] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:33:25] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:09] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:09] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:09] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:22] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:22] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:34:22] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:07] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:07] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:07] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:20] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:20] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:35:20] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:07] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:07] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:07] Reloaded crl
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:20] cpsic_reload_crl_cb: Received message mgmt_crl_reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:20] cpsic_reload_crl_cb: Got message of crl reload
[CPD 46241 4144166912]@mgmt-aws[26 Mar 20:36:20] Reloaded crl

==========================================

3. cme.elg log
[Expert@mgmt-aws:0]# tail -n50 /var/log/CPcme/cme.log
2026-03-26 20:33:57,627 CME_SERVICE INFO The gateways found in controller hallmark-aws are:
2026-03-26 20:33:57,627 CME_SERVICE INFO 1: hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:33:57,627 CME_SERVICE INFO 2: hallmark-aws--i-078cc9e1b64f1c34e--us-east-1
2026-03-26 20:33:57,628 CME_SERVICE INFO Configuration was not complete
2026-03-26 20:33:57,628 CME_SERVICE INFO hallmark-aws--i-0d73aecbba3a998ad--us-east-1 state is changed to: UPDATING
2026-03-26 20:33:57,628 CME_SERVICE INFO SIC has successfully been established between management mgmt-aws and gateway instance hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:33:57,629 CME_SERVICE INFO Resetting gateway hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:33:57,704 CME_SERVICE INFO Deleting objects for gateway: hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:33:57,704 CME_SERVICE INFO Deleting objects with Policy Destructor AWS Automatic Policy
2026-03-26 20:33:58,241 CME_SERVICE INFO Identity Awareness software blade was successfully unset
2026-03-26 20:33:58,343 CME_SERVICE INFO HTTPS Inspection was successfully unset
2026-03-26 20:33:58,343 CME_SERVICE INFO Gateway hallmark-aws--i-0d73aecbba3a998ad--us-east-1 is not part of a scale set.
2026-03-26 20:34:02,822 CME_SERVICE INFO Setting policy Standard on gateway hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:34:11,111 CME_SERVICE INFO Resetting gateway hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:34:11,158 CME_SERVICE INFO Deleting objects for gateway: hallmark-aws--i-0d73aecbba3a998ad--us-east-1
2026-03-26 20:34:11,158 CME_SERVICE INFO Deleting objects with Policy Destructor AWS Automatic Policy
2026-03-26 20:34:11,173 CME_SERVICE ERROR Failed to provision the gateway instance hallmark-aws--i-0d73aecbba3a998ad--us-east-1.
Error details: Management API failure (install-policy)..
2026-03-26 20:34:11,179 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 595, in scale_out
is_setup_gw_succeed = management.autoprovision_handler.set_gateway(instance, gw, auto_hf)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1816, in set_gateway
self.provision_gateway(instance, gw, auto_hf, gw_tags, simple_gateway)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 3399, in provision_gateway
self.set_policy(gw, gw_tags.get('policy'), group_name)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 337, in set_policy
install_policy_handler.invoke_install_policy(gw_name, policy)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 133, in invoke_install_policy
self.management(CPMCommand.INSTALL_POLICY, {POLICY_PACKAGE: policy, TARGETS: gw_name,
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 193, in __call__
return self.client(command=command, body=body, version=version,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/CPcme/cp_handlers/mgmt_api_handler.py", line 241, in __call__
raise ManagementApiException(
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed with command: install-policy
Payload: {'policy-package': 'Standard', 'targets': 'hallmark-aws--i-0d73aecbba3a998ad--us-east-1', 'allow-task-separation': True}
Error details: Installation failed. Reason: SIC General Failure [ SIC error no. 325 ].
2026-03-26 20:34:11,180 CME_SERVICE INFO Configuration was not complete
2026-03-26 20:34:11,181 CME_SERVICE INFO hallmark-aws--i-078cc9e1b64f1c34e--us-east-1 state is changed to: UPDATING
2026-03-26 20:34:11,181 CME_SERVICE INFO SIC has successfully been established between management mgmt-aws and gateway instance hallmark-aws--i-078cc9e1b64f1c34e--us-east-1
2026-03-26 20:34:11,181 CME_SERVICE INFO Resetting gateway hallmark-aws--i-078cc9e1b64f1c34e--us-east-1
2026-03-26 20:34:11,219 CME_SERVICE INFO Deleting objects for gateway: hallmark-aws--i-078cc9e1b64f1c34e--us-east-1
2026-03-26 20:34:11,219 CME_SERVICE INFO Deleting objects with Policy Destructor AWS Automatic Policy
2026-03-26 20:34:11,688 CME_SERVICE INFO Identity Awareness software blade was successfully unset
2026-03-26 20:34:11,787 CME_SERVICE INFO HTTPS Inspection was successfully unset
2026-03-26 20:34:11,787 CME_SERVICE INFO Gateway hallmark-aws--i-078cc9e1b64f1c34e--us-east-1 is not part of a scale set.
2026-03-26 20:34:16,195 CME_SERVICE INFO Setting policy Standard on gateway hallmark-aws--i-078cc9e1b64f1c34e--us-east-1

Any advise and guidance would be greatly appreciated

PhoneBoy

Note the error (which is referenced in an internal SK) suggests a "clock" issue that would likely be caused by: https://support.checkpoint.com/results/sk/sk184766

View solution in original post

PhoneBoy

Note the error (which is referenced in an internal SK) suggests a "clock" issue that would likely be caused by: https://support.checkpoint.com/results/sk/sk184766

Neetu139755

Hello @PhoneBoy

Thank you for pointing me to sk184766 : this matches our issue exactly (R82.10 Build 767, SIC error 325 on Install Policy). Is there a specific hotfix number that resolves the certificate date validation bug? What is the hotfix number/take number we should install on the management server (R82.10-PAYG) and gateways (R82.10-PAYG-NGTP) to fix this immediately rather than waiting ~24 hours for certs to become valid?

At the moment, I don't see any sync issues with clock on management server and gateway servers. The date/time are in sync:

Management server
[Expert@mgmt-aws:0]# date -u 
Sun Mar 29 20:43:30 UTC 2026


Gateway: Member A
[Expert@i-0d73aecbba3a998ad:0]# date -u    
Sun Mar 29 20:43:28 UTC 2026


Gateway Member B
[Expert@i-078cc9e1b64f1c34e:0]# date -u 
Sun Mar 29 20:43:27 UTC 2026

The gateway version that I have used is :

GatewayVersion R82.10-PAYG-NGTP

PhoneBoy

My thought would be to apply the one for: R82.10 GA Take 464 UNLESS you've applied JHF 22 (in which case, you'd use that).
Both are listed in the SK I linked to.

However, I know the Cloud images are different and suggest confirming this with TAC.

Neetu139755

Thank you @PhoneBoy

My team is working on getting the account setup so that I can open a TAC case. Since the free trial ends tomorrow. I was hoping if you could help me with the sk184766 hotfix on a PAYG cloud image R82.10 Build 767? The installer shows no hotfixes available.

[Expert@mgmt-aws:0]# cpinfo -l 2>/dev/null | head -20
************************************************************************
                       Check Point Support Information                    
                           CPinfo 5.0 Build 914000224                           

                        (Last Mod.: Aug 12 2025 10:11:55)                              

  When needed, you will be asked to send the output of this program to  
                        support@ts.CheckPoint.com                       

************************************************************************

==============================================
General Info
==============================================
OS: Gaia
Version: R82.10 - Build 767
Type: MGMT

==============================================
CP components

mgmt-aws> show installer packages 
**  ************************************************************************* **
**                                  Majors                                    **
**  ************************************************************************* **
Display name                                                                                    Status                    
CloudGuard Network Security R82.10 In-Place Upgrade                                             Available for Download    
mgmt-aws> show version all   
Product version Check Point Gaia R82.10
OS build 464
OS kernel version 5.14.0-427.13.1cpx86_64
OS edition 64-bit

PhoneBoy

The underlying problem also impacts CPUSE.
The hotfix may need to be downloaded from the SK.

the_rock

If what Phoneboy provided does not work (just in case), can you send output of cpwd_admin list from both mgmt and gw?

Best,
Andy
"Have a great day and if its not, change it"

Neetu139755

Hello,

Management server

[Expert@mgmt-aws:0]# cpwd_admin list 
APP        PID    STAT  #START  START_TIME             MON  COMMAND             
CPVIEWD    46087  E     1       [23:04:13] 17/3/2026   N    cpviewd             
CVIEWAPIS  46092  E     1       [23:04:13] 17/3/2026   N    cpview_api_service  
CPVIEWS    46098  E     1       [23:04:13] 17/3/2026   N    cpview_services     
MSGD       46141  E     1       [23:04:13] 17/3/2026   Y    msgd                
CPD        46241  E     1       [23:04:14] 17/3/2026   Y    cpd                 
FWD        46305  E     1       [23:04:14] 17/3/2026   N    fwd -n              
FWM        46310  E     1       [23:04:14] 17/3/2026   N    fwm                 
FWMHA      78154  E     1       [23:08:01] 17/3/2026   N    fwmha -H            
STPR       46388  E     1       [23:04:14] 17/3/2026   N    status_proxy        
CPM        46584  E     1       [23:04:15] 17/3/2026   N    /opt/CPsuite-R82.10/fw1/scripts/cpm.sh -s
SOLR       46660  E     1       [23:04:15] 17/3/2026   N    java_solr           
RFL        46691  E     1       [23:04:15] 17/3/2026   N    LogCore             
SMARTVIEW  46737  E     1       [23:04:15] 17/3/2026   N    SmartView           
INDEXER    46807  E     1       [23:04:15] 17/3/2026   N    /opt/CPrt-R82.10/log_indexer/log_indexer -workingDir /opt/CPrt-R82.10/log_indexer/
SMARTLOG_SERVER 46917  E     1       [23:04:15] 17/3/2026   N    /opt/CPSmartLog-R82.10/smartlog_server
REPMAN     46990  E     1       [23:04:16] 17/3/2026   N    java_repository_manager
DASERVICE  600572 E     1       [16:56:53] 25/3/2026   N    DAService_script    
AUTOUPDATER 47013  E     1       [23:04:16] 17/3/2026   N    AutoUpdaterService.sh
LPD        66416  E     1       [23:06:24] 17/3/2026   N    lpd                 
CPSM       68630  E     1       [23:07:11] 17/3/2026   N    cpstat_monitor

Member A:

[Expert@i-0d73aecbba3a998ad:0]# cpwd_admin list 
APP        PID    STAT  #START  START_TIME             MON  COMMAND             
FWK_FORKER 15120  E     1       [16:00:12] 26/3/2026   N    fwk_forker          
FWK_WD     15129  E     1       [16:00:12] 26/3/2026   N    fwk_wd -i 3 -i6 0   
CPVIEWD    37470  E     1       [16:07:12] 26/3/2026   N    cpviewd             
CVIEWAPIS  37492  E     1       [16:07:12] 26/3/2026   N    cpview_api_service  
CPVIEWS    37497  E     1       [16:07:12] 26/3/2026   N    cpview_services     
SXL_STATD  37510  E     1       [16:07:12] 26/3/2026   N    sxl_statd           
MSGD       37534  E     1       [16:07:12] 26/3/2026   Y    msgd                
CPD        37643  E     1       [16:07:12] 26/3/2026   Y    cpd                 
MPDAEMON   37658  E     1       [16:07:12] 26/3/2026   N    mpdaemon /opt/CPshrd-R82.10/log/mpdaemon.elg /opt/CPshrd-R82.10/conf/mpdaemon.conf
TP_CONF_SERVICE 37690  E     1       [16:07:12] 26/3/2026   N    tp_conf_service --conf=tp_conf.json --log=info
CXLD       37831  E     1       [16:07:13] 26/3/2026   N    cxld -d             
CI_CLEANUP 37856  E     1       [16:07:14] 26/3/2026   N    avi_del_tmp_files   
CIHS       37863  E     1       [16:07:14] 26/3/2026   N    ci_http_server -j -f /opt/CPsuite-R82.10/fw1/conf/cihs.conf
FWD        37893  E     1       [16:07:14] 26/3/2026   N    fwd                 
SPIKE_DETECTIVE 37902  E     1       [16:07:14] 26/3/2026   N    spike_detective     
LPD        16152  E     1       [16:00:23] 26/3/2026   N    lpd                 
UPRD       38605  E     1       [16:07:39] 26/3/2026   Y    uprd                
DASERVICE  40102  E     1       [16:07:47] 26/3/2026   N    DAService_script    
AUTOUPDATER 40116  E     1       [16:07:48] 26/3/2026   N    AutoUpdaterService.sh
PROBEMOND  40124  E     1       [16:07:48] 26/3/2026   N    probemond

Member B:

[Expert@i-078cc9e1b64f1c34e:0]# cpwd_admin list 
APP        PID    STAT  #START  START_TIME             MON  COMMAND             
FWK_FORKER 15056  E     1       [16:00:12] 26/3/2026   N    fwk_forker          
FWK_WD     15065  E     1       [16:00:12] 26/3/2026   N    fwk_wd -i 3 -i6 0   
CPVIEWD    38093  E     1       [16:08:11] 26/3/2026   N    cpviewd             
CVIEWAPIS  38115  E     1       [16:08:11] 26/3/2026   N    cpview_api_service  
CPVIEWS    38120  E     1       [16:08:11] 26/3/2026   N    cpview_services     
SXL_STATD  38133  E     1       [16:08:11] 26/3/2026   N    sxl_statd           
MSGD       38150  E     1       [16:08:11] 26/3/2026   Y    msgd                
CPD        38266  E     1       [16:08:11] 26/3/2026   Y    cpd                 
MPDAEMON   38281  E     1       [16:08:11] 26/3/2026   N    mpdaemon /opt/CPshrd-R82.10/log/mpdaemon.elg /opt/CPshrd-R82.10/conf/mpdaemon.conf
TP_CONF_SERVICE 38313  E     1       [16:08:11] 26/3/2026   N    tp_conf_service --conf=tp_conf.json --log=info
CXLD       38448  E     1       [16:08:12] 26/3/2026   N    cxld -d             
CI_CLEANUP 38480  E     1       [16:08:13] 26/3/2026   N    avi_del_tmp_files   
CIHS       38487  E     1       [16:08:13] 26/3/2026   N    ci_http_server -j -f /opt/CPsuite-R82.10/fw1/conf/cihs.conf
FWD        38517  E     1       [16:08:13] 26/3/2026   N    fwd                 
SPIKE_DETECTIVE 38526  E     1       [16:08:13] 26/3/2026   N    spike_detective     
LPD        16037  E     1       [16:00:22] 26/3/2026   N    lpd                 
UPRD       39355  E     1       [16:08:41] 26/3/2026   Y    uprd                
DASERVICE  40851  E     1       [16:08:49] 26/3/2026   N    DAService_script    
AUTOUPDATER 40864  E     1       [16:08:49] 26/3/2026   N    AutoUpdaterService.sh
PROBEMOND  40873  E     1       [16:08:49] 26/3/2026   N    probemond

the_rock

What does below show you?

autoprov_cfg show

Based on cpwd_admin list, all looks good to me, shows E (extablished) and all is 1, meaning any process was started just once, which is good.

Appears certificate is continuously being revoked, for some reason. Might be worth opening TAC case to check further.

Did you verify basic connectivity between mgmt and gw? Is it using correct IP to communicate?

Are routes 100% valid?

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

SIC error 325 on Install Policy — R82.10 Cross-AZ Cluster in AWS