This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jwmac
Participant
‎2019-10-22 09:20 AM

RSA SecurID and upgrading to R80.30 from R77.30

I am planning to upgrade a our 2 gateways running ClusterXL from R77.30 from R80.30.  We currently use RSA SecurID for our VPN authentication method for our remote users who connect via the Windows Checkpoint Mobile application.

Will anything have to be done to ensure VPN continues to work for our remote users after upgrading?  Do I need to re-upload the sdconf.rec file after the upgrade?  Will anything else need to be done?

thanks

0 Kudos
6 Replies
Ryan_St__Germai
Advisor
‎2019-10-22 09:33 AM

As long as IP addresses are not changing then it should be simple. We just copied over the sdconf.rec, sdopts.rec and securid files that were located in /var/ace and only ran into one snag. On R77.30 the sdopts.rec file had CLIENT_IP=192.168.1.1 where as in R80.30 the format required a space after the "=" sign so we changed it to CLIENT_IP= 192.168.1.1
0 Kudos
mdjmcnally
Advisor
‎2019-10-22 09:33 AM

How are you upgrading?

 

If CPUSE inplace then the sdconf.rec should be in place already on the boxes.

If doing a clean rebuild to R80.x then the files would be lost and would need to re-establish the connection between the boxes and the RSA.

0 Kudos
Ryan_St__Germai
Advisor
‎2019-10-22 09:37 AM
In response to mdjmcnally

Sorry, missed your upgrade path in the post. We did a fresh install on new hardware. If you are doing a CPUSE upgrade then you shouldn't have any trouble. I would leave the sdopts.rec file alone and if you do experience a problem authenticating then try adding a space after the "=" sign. I believe that change does require a cpstop/cpstart.
0 Kudos
jwmac
Participant
‎2019-10-22 09:40 AM
In response to Ryan_St__Germai

Excellent, I will be sure to check the sdopts.rec for the space after "=" if I run into any issues.

On a side note, how was the upgrade overall for you guys?  Pretty straight forward? Any other issues?

 

thanks

0 Kudos
Ryan_St__Germai
Advisor
‎2019-10-22 09:48 AM
In response to jwmac

Upgrade wise it ended up being very straight forward all things considered. Our Management box was already on R80.30 so that helped some. We did run into two problems. The first issue was related to logs not being sent to the mgmt box from the gateways. We fixed this by going into the cluster object properties and under "Logs" we removed the management box as the logging server then re-added it and pushed policy.

Second issue is ongoing and may just be limited to our environment. We are currently experiencing a memory leak on our clustered gateways. After about a week the active gateway runs out of memory and fails over so we have an ongoing support case for that.
0 Kudos
jwmac
Participant
‎2019-10-22 09:38 AM
In response to mdjmcnally

I am planning to use the CPUSE and doing an upgrade and not a fresh install.  If the sdconf.rec is carried over then it sounds like all I should need to do is update the sdopts.rec file to include the space after the "="?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events