This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_Williams
Contributor
4 weeks ago

SIC not automatically renewing certificate in VSX

Hi,

We have a VSX Cluster that was built nearly 5 years ago and the SIC certificates are expiring in 2026 and in googling how to renew these certificates its becoming clear that it should have done these automatically. I found SK164255 which speaks about SIC not renewing automatically and I found the logs on the firewall

[CPD 108554 4133026112]@Our-FIREWALL-01[9 Jun 20:48:04] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1.

In the SK it lists three ports that are used in the process

  • ICA_PULL (port 18210)
  • ICA_PUSH (port 18211)
  • ICA_SERVICES (port 18191)

And when I looked in the logs for port 18191 I can see that the firewalls are trying to communicate on that port with a host called (worryingly) 'sms-dummy' with a different IP to the SMS we use. As this was a completely new build in 2021 by a 3rd party potentially they have created the environment with a temporary SMS and then later on switched over to current SMS, but the firewalls are left trying to renew SIC to the original IP?

What are the options that open to us?

Could I NAT that traffic to the actual SMS?

Or am I going to have go through the resetting of SIC across the environment?

https://support.checkpoint.com/results/sk/sk164255

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
4 weeks ago

There's an SK for this situation, it appears: https://support.checkpoint.com/results/sk/sk103356 

P_Williams
Contributor
4 weeks ago
In response to PhoneBoy

Thanks PhoneBoy, that looks promising, I will try out the commands to adjust the IP on the standby and see how I get on.

[Expert@FW-01:0]# vsenv 2
Context is set to Virtual Device (ID 2).
[Expert@FW-01:2]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:2]# vsenv 3
Context is set to Virtual Device (ID 3).
[Expert@FW-01:3]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:3]# vsenv 4
Context is set to Virtual Device (ID 4).
[Expert@FW-01:4]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:4]# vsenv 6
Context is set to Virtual Device (ID 6).
[Expert@FW-01:6]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (172.x.x.30) CORRECT

0 Kudos
the_rock
MVP Gold
MVP Gold
4 weeks ago

Not sure if you ever enabled below on mgmt server, but might be worth doing it.

Andy

https://support.checkpoint.com/results/sk/sk30501

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events