Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rafee
Participant

ICA Certificate Renewed After Expiry - Caused SIC Breakdown with all the firewalls

GAIA Version R80.40 Take 158

We renewed ICA Certificate using the script provided by Checkpoint TAC on one of the CMA's after it had got expired, which caused SIC Breakdown with all the firewalls managed by the particular CMA.

As per checkpoint SIC issue should get fixed if we reset the SIC, which we tried and it is not fixing the issue.

whenever we try to reset the SIC it is throwing error "Internal SSL authentication error [Certificate expired]"

Note:- We tried resetting SIC on one of the standby firewalls and it has lost its rule base now, It has been a month and Checkpoint has not been able to provide any solution.

Has anyone faced this issue before or any solution would be really appreciated. Thank you

!

!

I also want to know if there is a way to create a new CMA and copy all the configuration of existing CMA

!

5 Replies
PhoneBoy
Admin
Admin

The SIC errors would probably need TAC’s help to troubleshoot.
Meanwhile the normal (migrate_server) process would also duplicate the corrupt ICA.
Something like the following would not: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

0 Kudos
cem82
Contributor

We did have similar, have you confirmed the ICA cert has indeed been renewed from the script?

cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate

 

After running that we found that the CN=cp_mgmt SIC for internal_ca hadn't been renewed and had to resign the internal_ca and then replace that cert with mcc replace and revoke old one and then reset SIC to GW

cpca_client lscert -kind SIC -stat Valid

Rafee
Participant

Yes we got the latest script from TAC and were able to see the date got extended as below

##cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddat
##notAfter=Jan 19 03:14:07 2038 GM

!

Command [cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"] does not show any certificate on the CMA we are having issue with , however i see "CN=cp_mgmt" certificate is present on all the other working CMA's.

!

Even the command 'cpca_client lscert'  show the certificates are not present for all the gateways , however i see duplicate certificate entries for single gateway with the status as 'Status = Revoked' and one more cert for its HA pair gateway with the status as 'Status = Pending Kind = SIC Serial = XXXXX, OTP validity = none'

!

0 Kudos
Rafee
Participant

Is there any SK that covers "replace cert with mcc replace"

starmen2000
Collaborator
Collaborator

Have you solved the problem? If yes , how? We encountered similar problem and involved TAC but still no solution. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events