Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
P_Williams
Contributor

SIC not automatically renewing certificate in VSX

Hi,

We have a VSX Cluster that was built nearly 5 years ago and the SIC certificates are expiring in 2026 and in googling how to renew these certificates its becoming clear that it should have done these automatically. I found SK164255 which speaks about SIC not renewing automatically and I found the logs on the firewall

[CPD 108554 4133026112]@Our-FIREWALL-01[9 Jun 20:48:04] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1.

In the SK it lists three ports that are used in the process

  • ICA_PULL (port 18210)
  • ICA_PUSH (port 18211)
  • ICA_SERVICES (port 18191)

And when I looked in the logs for port 18191 I can see that the firewalls are trying to communicate on that port with a host called (worryingly) 'sms-dummy' with a different IP to the SMS we use. As this was a completely new build in 2021 by a 3rd party potentially they have created the environment with a temporary SMS and then later on switched over to current SMS, but the firewalls are left trying to renew SIC to the original IP?

What are the options that open to us?

Could I NAT that traffic to the actual SMS?

Or am I going to have go through the resetting of SIC across the environment?

https://support.checkpoint.com/results/sk/sk164255

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

There's an SK for this situation, it appears: https://support.checkpoint.com/results/sk/sk103356 

P_Williams
Contributor

Thanks PhoneBoy, that looks promising, I will try out the commands to adjust the IP on the standby and see how I get on.

[Expert@FW-01:0]# vsenv 2
Context is set to Virtual Device (ID 2).
[Expert@FW-01:2]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:2]# vsenv 3
Context is set to Virtual Device (ID 3).
[Expert@FW-01:3]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:3]# vsenv 4
Context is set to Virtual Device (ID 4).
[Expert@FW-01:4]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (10.253.253.254) INCORRECT
[Expert@FW-01:4]# vsenv 6
Context is set to Virtual Device (ID 6).
[Expert@FW-01:6]# grep -i icaip $CPDIR/registry/HKLM_registry.data
:ICAip (172.x.x.30) CORRECT

0 Kudos
the_rock
MVP Gold
MVP Gold

Not sure if you ever enabled below on mgmt server, but might be worth doing it.

Andy

https://support.checkpoint.com/results/sk/sk30501

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events