Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Contributor

Management HA & CRL : concerns

Hi,

In regard with our project to get rid of our main datacenter and migrate everything to AWS, I've had to find a solution to migrate the Check Point Management Server (cma).

In the effort of having the migration as smooth as possible, I decided to try with the Management HA. So I launched an EC2 instance from the Check Point R81.10 management AMI (BYOL), sized it as needed and configured the Management HA. 

So far everything works great, the 'old' management is in constant sync with the new one in AWS, which I made active, and I receive most GW's logs (some need a little kick to start sending logs to the new cma). I'm also able to publish & install policies from that new management server. 

From there, I wanted to simulate the decomission of the 'old' management server, and simply issued the cpstop command in there. Then, I decided to reboot some gateways after business hours and see how they would react... Well, the issue is the IPSEC S2S tunnel between those gateways and the central one got stuck in phase 1, and logs showed 'Invalid certificate' errors... 

So I suspect the CRLs are unreachable, and/or the gateways still tries to verify it from the 'old' management server, which was inactive. Once I've issued the cpstart command in the 'old' management, everything started to work fine again, the tunnels established alright.

Checking the CRL DP in the certificate, I noticed it's using an URL with a unresolvable name : http://mgmt.company.tld:18264 (redacted).

  • How come this works if I can't resolve that name internally ?
  • How can I smoothly decomission the 'old' management without impacting our numerous (40+) IPSEC S2S tunnels from our remote gateways ?

Thanks in advance for your help, much appreciated !

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

I'm assuming this is because the gateways "know" the ICA is the management server.
When you migrated the management into AWS, what is the main IP on your management server?
Is it an elastic IP or one of the private VPC IPs?

0 Kudos