Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Denis
Explorer
Jump to solution

R77.30 InternalCA expired on CMA

Hello, guys.
We are facing the following problem. Smartdashboard is showing an old InetrnalCA certificate and we are unable to update the defaultCert for IPSec. The InternalCA certificate originally expired and was not automatically reissued. We did the procedure ( sk158096) reissue this certificate, but our Smartdashboard in field 'servers and OPSEC->TrustedCA's->internal_ca' is showing an old InetrnalCA certificate. I found a description that says this is a cosmetic issue and can be resolved by replacing the certificate from the CLI. Using the vpn mcc add2main command, we get the window shown in the screenshot. But when we want to see the primary certificate with the vpn mcc show internal_ca 0 command, it still shows the old expired certificate.

The output you can also see on the screenshot is disconcerting
hash_do_resize: Resizing hash from 16384 to 32768 (n_elements=32768)

And just in case, I'll point out here again.
This is MDS and the problem is only with one context.
This is version 77.30.

 

Best Regards, Denis

 

Best Regards, Denis
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

There's an internal SK (can be requested from TAC): sk12266.
It involves deleting a bunch of files and making changes to objects_5_0.C (removing all the certificates and references to them).

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

As I'm sure you're aware, R77.30 is long since out of support.
I suspect a "brutal SIC reset" process might be necessary here.
I'd post the process here if it weren't marked as an internal SK, but TAC can probably provide it: https://help.checkpoint.com.

0 Kudos
JozkoMrkvicka
Authority
Authority

Would it be even possible to upgrade R77.30 to R80.40 (middle step) if there is issue with InternalCA ? Is PUV checking also state of ICA and will report error/warning in such a case?

Kind regards,
Jozko Mrkvicka
0 Kudos
Denis
Explorer

Hi Jozko!

We're certainly considering it, but it's still very difficult. We migrated all domains to the environment with the new version, there is only one left, and it is on old hardware. So this is not a desirable option. I can't answer the second question, I don't know what PUV means?

Best Regards, Denis

Best Regards, Denis
0 Kudos
JozkoMrkvicka
Authority
Authority

PUV means "Pre-Upgrade Verifier" and it should be run in case you want to upgrade management to higher GAIA version. It will check the database and generate report if the upgrade to desired version will be smooth, or there are any warning/error which should be taken into account before upgrade.

Kind regards,
Jozko Mrkvicka
0 Kudos
Denis
Explorer

Hi Jozko!

Thanks for the clarification, well then I've already answered, it's not possible to update.

Best Regards, Denis

Best Regards, Denis
0 Kudos
Denis
Explorer

Thank you PhoneBoy for providing the information. Could you please post the number of this article? I will try to request it from TAC.

Best Regards, Denis

Best Regards, Denis
0 Kudos
PhoneBoy
Admin
Admin

There's an internal SK (can be requested from TAC): sk12266.
It involves deleting a bunch of files and making changes to objects_5_0.C (removing all the certificates and references to them).

0 Kudos
Denis
Explorer

Hello PhoneBoy!

Oh, thank you so much!

Best Regards, Denis

Best Regards, Denis
0 Kudos
the_rock
Legend
Legend

Im not at home as I write this response, but I can send you the process, as I have it.

Andy

0 Kudos
Denis
Explorer

Thank you Andy!

This process was provided to me by TAC.

Best Regards, Denis
0 Kudos
Denis
Explorer

Hi all!

My problem was solved, thanks to the sk PhoneBoy pointed out. I would like to thank you again! Thank you all for your participation and help!

Best regards, Denis

Best Regards, Denis
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events