Hi,

Command output is below. After renewing certificate with the script we have installed the policy. 

Better contact TAC (after rebooting all to be sure)...

A reboot solved the problem. Thanks.

Believe this is a known issue currently that will be fixed in a future JHF.
I believe it is vpnd that needs to be restarted here (though a cprestart or reboot will also solve it).

Extra tip

https://support.checkpoint.com/results/sk/sk177903

Since we are not using 3rd party certificate for MAB I couldn't renew this certificate individually. As PhoneBoy mentioned this was a known bug, using the script provided in the article sk182070 should change the MAB certificate also. It changed but it becomes active after a reboot.

Hello Folks, 

i see this issue also on one of my customers ... 
even when we renew the builtin ipsec certificate over the SmartConsole it doesnt help.
also it was affected every third party certificate we have installed, and we have a ton of certificates installed.

Client VPN showed expired certs
IDC stopped working "PDPChannel | 1736874287 | Error with pdp 10.254.3.177 : General transport error 399"
access to all of the portal shows expired certificates, although they still (should) have valid based on the SmartConsole.

But S2S VPN to this affected sites still work, maybe it affects only the HTTP portal and not VPN ... 

Thats really a mess, Check Point makes it really hard to manage all certificates, especially when dealing with third party certificates, then you have another problem when valid certificates did not get pushed to the HTTPD proccesses! 

But at least reboot of the FW member helps!

TAC case was opened ... lets wait ...

New INFO

i had a very fruitful remote session with TAC.
when restarting VPND it renews the certificates!

so running:

[Expert@XXXXX:0:ACTIVE]# ps aux | grep vpnd
admin 5694 0.0 0.0 2648 576 pts/2 S+ 14:46 0:00 grep --color=auto vpnd
admin 13374 0.1 0.9 332124 77820 ? SLl 2024 170:20 vpnd 0

[Expert@XXXXX:0:ACTIVE]# kill -KILL $(pidof vpnd)
[Expert@XXXXX:0:ACTIVE]# ps aux | grep vpnd

admin 5730 73.0 0.4 229620 32912 ? R 14:47 0:00 vpnd 0
admin 5740 0.0 0.0 2648 568 pts/2 S+ 14:47 0:00 grep --color=auto vpnd

this operation will restart VPND and will change the certificate to the new one immediately!

question is still, why didnt the S2S VPN stop on the affected GW when the certificate becomes expired?
i expectet to see VPN stop immediately, but it runs and runs ... 
does the VPND use the new certificate just for "himself" but doesnt release the change to the other daemons?

RnD Task to bring a better solution is expected!

This is because the VPN cert is only used for internal gateways managed by same mgmt (CP to CP in same mgmt)

I assume you talk about vpn's with remote parties? They use PSK. 

Hello, 

with "third party" i mean third party certificates, not third party VPN tunnels.
and up to this date there is not good automatic solution to gather an overview of all important third party certificates.
but thats the topic for a different story 🙂

Hi,

Yes I understand, I was refering to the cert under the IPSEC in the gateway object. Why VPN tunnels still work if it is expired. 

I think IDC uses portal cert but this I am not 100% sure, have to check that in lab

Yep, IDC uses the platform portal certificate.  This is the daemon that's not re-loading its certificate.  The IPsec VPN is reloading the certificate correctly which is why site-to-site VPNs work as expected.  The issue is for HTTPS-based endpoints, of which IDC is one.