This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2020-11-16 03:05 AM
Jump to solution

Failed to establish S2S VPN : CRL not found & invalid certificate

Hi,

We are trying to establish a S2S VPN connection between our main datacenter and a new Check Point firewall in another continent.

Initial setup of the new appliance went fine, it's registered with SmartConsole alright, and we can install policies and all.

But so far we failed to establish a S2S VPN connection between the datacenter and the new appliance.

Here is the errors shown in the logs, that looks related to how the new device handles/validates the certificates for the gateway to gateway authentication :

01_COULD_NOT_RETRIEVE_CRL.PNG

 

02_INVALID_CERT.PNG

 

Notice we have like 30+ S2S VPN communities configured, and none are showing the same issue. We tried various combination in the encryption's settings within the community, but none helped in fixing that.

How can we troubleshoot that ? The ICA is the management server (CMA), and it's located in the datacenter as well. 

Thanks for your help !

Regards

0 Kudos
1 Solution

Accepted Solutions
Ob1lan
Collaborator
‎2020-12-03 10:53 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht , thanks for your input. We solved this issue. It ws the settings of the gateway, under 'Fetch Policy' that were not right.

It was set with the internal IP of the cma. Adding the externaly reachable IP, and making sure it has precedence solved the issue. 

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-11-16 03:24 AM
Jump to solution

Try sk42224: VPN tunnel establishment fails with ICA certificate first.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ob1lan
Collaborator
‎2020-11-16 03:59 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht ,

Thanks but apparently that SK does not apply to us, here is what's configured in the internal_ca :

03_ICA_ADVANCED_PROPS.PNG

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-11-16 07:29 AM
In response to Ob1lan
Jump to solution

Then i would suggest IKE & VPN Debug on both sides that should reveal the details of the error. TAC could also help a lot here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ob1lan
Collaborator
‎2020-12-03 10:53 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht , thanks for your input. We solved this issue. It ws the settings of the gateway, under 'Fetch Policy' that were not right.

It was set with the internal IP of the cma. Adding the externaly reachable IP, and making sure it has precedence solved the issue. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events