Re: Peer sent wrong DN

Moudar · ‎2024-09-10

Hi

I got a route based VPN between 1575 SMB and a 6500 gateways.

On Smartconsole it looks like this:

Where the SMB that got the problem is test7

On Smartevent monitor test7 is waiting:

The problem began immediately after upgrading the SMS to take 76.

What’s odd is that the tunnel is still functioning correctly. On the other side, there’s a Cisco AP that connects to its WLC on my side without any issues!

I checked sic_info.elg on SMB I could see this log:

CLIENT; process: fw; my port: 42545; peer port: 18191; my ip addr: 192.168.7.10; peer ip addr: x.x.x.x; sic service type: EntitlementManager; fwasync state: SIC_CLIENT_GET_SICNAME; error id: 111; SIC Error for EntitlementManager: Peer sent wrong DN: CN=fw01,O=xxxx.xxxx.xxxx.xxxxxx

On 6500 cluster object the CN=fwcl

I wonder why the SMB is getting CN=fw01, where fw01 is a gateway on fwcl cluster!

How to import the correct certificate to the SMB, is it "Reinitialize Trusted communication"?

G_W_Albrecht · ‎2024-09-10

Yes, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Se...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Moudar · ‎2024-09-10

What should i look at? The SMB is already centrally managed?

Lesley · ‎2024-09-10

I think this is a known limitation:

SmartView Monitor

SMBGWY-2525

The SmartConsole "Device & License Information" window shows incorrect information for the Centrally Managed Quantum Spark Gateway in these scenarios:

The Centrally Managed Quantum Spark Gateway is configured with a Dynamically Assigned IP Address (DAIP)
There is a NAT device between the Check Point Management Server and the Centrally Managed Quantum Spark Gateway

To get to this window:

In SmartConsole, from the left navigation panel, click the "Gateways & Servers" view.
Select the Quantum Spark Gateway object.
In the bottom pane, click the "Summary" tab.
At the bottom, click the link "Device & License Information".

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock · ‎2024-09-10

Have you tried rebooting that SMB gateway?

Andy

Best,
Andy

Moudar · ‎2024-09-10

yes, same !

the_rock · ‎2024-09-10

But you say the tunnel shows as up? Both phase 1 and 2? Is the traffic through it working?

Andy

Best,
Andy

Moudar · ‎2024-09-10

No, the tunnel doesn't appear as up, as shown in the images above, but it is functioning correctly.

the_rock · ‎2024-09-11

So where is it failing? Phase 2?

Best,
Andy

Moudar · ‎2024-09-11

cpca_client lscert -dn "CN=fwcl"

cpca_client lscert -dn "CN=fw01"

Upon reviewing the 6500 certificates, I discovered the following:

CN=fw01: This certificate is valid until 2028.
CN=fwcl: This certificate is currently listed in the gateway VPN repository.

The issue is that the VPN peers are receiving the DN CN=fw01 certificate instead of the DN CN=fwcl certificate.

Question: Why is the VPN peer receiving the CN=fw01 certificate instead of the CN=fwcl?

Are you a member of CheckMates?

Peer sent wrong DN