Hi,
We have a VSX Cluster that was built nearly 5 years ago and the SIC certificates are expiring in 2026 and in googling how to renew these certificates its becoming clear that it should have done these automatically. I found SK164255 which speaks about SIC not renewing automatically and I found the logs on the firewall
[CPD 108554 4133026112]@Our-FIREWALL-01[9 Jun 20:48:04] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1.
In the SK it lists three ports that are used in the process
- ICA_PULL (port 18210)
- ICA_PUSH (port 18211)
- ICA_SERVICES (port 18191)
And when I looked in the logs for port 18191 I can see that the firewalls are trying to communicate on that port with a host called (worryingly) 'sms-dummy' with a different IP to the SMS we use. As this was a completely new build in 2021 by a 3rd party potentially they have created the environment with a temporary SMS and then later on switched over to current SMS, but the firewalls are left trying to renew SIC to the original IP?
What are the options that open to us?
Could I NAT that traffic to the actual SMS?
Or am I going to have go through the resetting of SIC across the environment?
https://support.checkpoint.com/results/sk/sk164255