This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olusegun_Adekun
Contributor
‎2024-02-08 11:48 AM
Jump to solution

SIC problem after upgrade to R81.20

Hi All,

Am having issue with a 3000 series Firewall Upgraded from R81.10 to R81.20. The SIC between the Management Server and the Gateway is not establishing.

With cpconfig, option 5, am able to reset the SIC on the Gateway, however on the Smart Console, it failed with error: Failed to connect to Gateway.

All routing on the Gateway checked all interfaces on with IP addresses.

From the upgraded Gateway, am able to ping the Active Cluster member.

From the upgraded Gateway, am able to ping the Management Server.

But am not able to ping the upgraded Gateway from the Active cluster member and also from the Management Server.

There is something blocking access to the Upgraded Firewall.

Anybody have any idea please as I have run out idea. Even ask TAC, they also ran out of idea.

 TAC advises to restore back to R81.10 which am not really happy to do. I have upgraded other firewalls to R81.20 without any issue but this particular one is becoming a nightmare.

Please help.

Thank you all always.

Regards,

Olu

 

 

0 Kudos
1 Solution

Accepted Solutions
Olusegun_Adekun
Contributor
‎2024-02-27 05:11 AM
In response to the_rock
Jump to solution

Hi Andy, 

You are very right; it was routing issue but very difficult to spot because customer was using ISP redundancy. Traffic from management to Firewall was coming in through one ISP interface and going back through the second ISP which is then been dropped. So, I configured a static route telling the FW to use same ISP interface gateway for return traffic to Management.

SIC was established.

Thanks to everyone that has contributed. Much Appreciated.

View solution in original post

11 Replies
the_rock
Legend
Legend
‎2024-02-08 12:43 PM
Jump to solution

Try this...when you reset SIC on the gw, run fw stat and see what it shows? If it shows initial policy, which most likely it will, run fw unloadlocal and then try establish SIC on the mgmt server.

Andy

0 Kudos
Olusegun_Adekun
Contributor
‎2024-02-08 01:44 PM
In response to the_rock
Jump to solution

Hi The rock,

I have tried it already , even tried with TAC.

Didnt work unfortunately 

Regards

olu

0 Kudos
the_rock
Legend
Legend
‎2024-02-08 02:14 PM
In response to Olusegun_Adekun
Jump to solution

K, so lets take a step back here...IF you say routing is correct and same as other fw (I will take your word for it, as I got no proof to the contrary), and you do fw unloadlocal and sic still fails, there has to be something blocking the connection. Can you make sure if you run netstat -np that sic port is showing there as listening?

Andy

0 Kudos
emmap
Employee
Employee
‎2024-02-08 10:29 PM
In response to the_rock
Jump to solution

I would also suggest that you run a tcpdump on the gateway to see if the SIC connection from the management server is even arriving. It will help narrow down where to troubleshoot.

Generally speaking I would always recommend troubleshooting the network layer before resetting SIC if you have a SIC error like that. There's no point resetting SIC if the layer 1/2/3/4 stuff isn't working.

0 Kudos
the_rock
Legend
Legend
‎2024-02-09 04:14 AM
In response to emmap
Jump to solution

100%, I agree. Its always better to do so.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-02-08 01:52 PM
Jump to solution

Is the main IP of the gw in the same net of mgmt server? If not, is the main ip configured on the first interface hitted by packets from mgmt server?

0 Kudos
Olusegun_Adekun
Contributor
‎2024-02-11 05:29 AM
In response to CheckPointerXL
Jump to solution

Thanks all for your advice. I will check the connectivity again.

Much Appreciated.

0 Kudos
the_rock
Legend
Legend
‎2024-02-11 05:57 AM
In response to Olusegun_Adekun
Jump to solution

100% thats your issue, SIC has to work as long as connectvity with mgmt server is there.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-11 07:17 AM
In response to Olusegun_Adekun
Jump to solution

I was thinking about this and remembered ages ago, when I was on the phone with a customer troubleshooting this exact issue on R65 running splat (good times lol) and every time client would try reset sic, it would fail, even unloading the policy and after about 30 mins, we confirmed that there was indeed proper route missing.

Can you double check 100% that route is indeed there? From the fw, say if mtmt ip was 10.10.10.10, simply run ip r g 10.10.10.10 from expert mode and check that it is right.

Best,

Andy

0 Kudos
Olusegun_Adekun
Contributor
‎2024-02-27 05:11 AM
In response to the_rock
Jump to solution

Hi Andy, 

You are very right; it was routing issue but very difficult to spot because customer was using ISP redundancy. Traffic from management to Firewall was coming in through one ISP interface and going back through the second ISP which is then been dropped. So, I configured a static route telling the FW to use same ISP interface gateway for return traffic to Management.

SIC was established.

Thanks to everyone that has contributed. Much Appreciated.

the_rock
Legend
Legend
‎2024-02-27 06:14 AM
In response to Olusegun_Adekun
Jump to solution

Glad we can help mate, its always a team effort.

Happy its solved now.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events