Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor

Peer sent wrong DN

Hi

I got a route based VPN between 1575 SMB and a 6500 gateways.

On Smartconsole it looks like this:

smartconsole-test7.JPG

Where the SMB that got the problem is test7

test71.JPG

On Smartevent monitor test7 is waiting:

test72.JPG

The problem began immediately after upgrading the SMS to take 76.

What’s odd is that the tunnel is still functioning correctly. On the other side, there’s a Cisco AP that connects to its WLC on my side without any issues!

I checked sic_info.elg on SMB I could see this log:

CLIENT; process: fw; my port: 42545; peer port: 18191; my ip addr: 192.168.7.10; peer ip addr: x.x.x.x; sic service type: EntitlementManager; fwasync state: SIC_CLIENT_GET_SICNAME; error id: 111; SIC Error for EntitlementManager: Peer sent wrong DN: CN=fw01,O=xxxx.xxxx.xxxx.xxxxxx

On 6500 cluster object the CN=fwcl

I wonder why the SMB is getting CN=fw01, where fw01 is a gateway on fwcl cluster!

How to import the correct certificate to the SMB, is it "Reinitialize Trusted communication"?



0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend

Yes, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Se...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Moudar
Advisor

What should i look at? The SMB is already centrally managed?

0 Kudos
Lesley
Leader Leader
Leader

I think this is a known limitation:

SmartView Monitor
SMBGWY-2525

The SmartConsole "Device & License Information" window shows incorrect information for the Centrally Managed Quantum Spark Gateway in these scenarios:

  • The Centrally Managed Quantum Spark Gateway is configured with a Dynamically Assigned IP Address (DAIP)
  • There is a NAT device between the Check Point Management Server and the Centrally Managed Quantum Spark Gateway

To get to this window:

  1. In SmartConsole, from the left navigation panel, click the "Gateways & Servers" view.
  2. Select the Quantum Spark Gateway object.
  3. In the bottom pane, click the "Summary" tab.
  4. At the bottom, click the link "Device & License Information".
-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend

Have you tried rebooting that SMB gateway?

Andy

0 Kudos
Moudar
Advisor

yes, same !

0 Kudos
the_rock
Legend
Legend

But you say the tunnel shows as up? Both phase 1 and 2? Is the traffic through it working?

Andy

0 Kudos
Moudar
Advisor

No, the tunnel doesn't appear as up, as shown in the images above, but it is functioning correctly.

0 Kudos
the_rock
Legend
Legend

So where is it failing? Phase 2?

0 Kudos
Moudar
Advisor

cpca_client lscert -dn "CN=fwcl"

cpca_client lscert -dn "CN=fw01"

Upon reviewing the 6500 certificates, I discovered the following:

  • CN=fw01: This certificate is valid until 2028.
  • CN=fwcl: This certificate is currently listed in the gateway VPN repository.

The issue is that the VPN peers are receiving the DN CN=fw01 certificate instead of the DN CN=fwcl certificate.

Question: Why is the VPN peer receiving the CN=fw01 certificate instead of the CN=fwcl?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events