This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Denis
Explorer
‎2023-10-03 08:49 AM
Jump to solution

R77.30 InternalCA expired on CMA

Hello, guys.
We are facing the following problem. Smartdashboard is showing an old InetrnalCA certificate and we are unable to update the defaultCert for IPSec. The InternalCA certificate originally expired and was not automatically reissued. We did the procedure ( sk158096) reissue this certificate, but our Smartdashboard in field 'servers and OPSEC->TrustedCA's->internal_ca' is showing an old InetrnalCA certificate. I found a description that says this is a cosmetic issue and can be resolved by replacing the certificate from the CLI. Using the vpn mcc add2main command, we get the window shown in the screenshot. But when we want to see the primary certificate with the vpn mcc show internal_ca 0 command, it still shows the old expired certificate.

The output you can also see on the screenshot is disconcerting
hash_do_resize: Resizing hash from 16384 to 32768 (n_elements=32768)

And just in case, I'll point out here again.
This is MDS and the problem is only with one context.
This is version 77.30.

 

Best Regards, Denis

 

Best Regards, Denis
Preview file
248 KB
Preview file
204 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-10-04 08:28 AM
In response to Denis
Jump to solution

There's an internal SK (can be requested from TAC): sk12266.
It involves deleting a bunch of files and making changes to objects_5_0.C (removing all the certificates and references to them).

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2023-10-03 03:18 PM
Jump to solution

As I'm sure you're aware, R77.30 is long since out of support.
I suspect a "brutal SIC reset" process might be necessary here.
I'd post the process here if it weren't marked as an internal SK, but TAC can probably provide it: https://help.checkpoint.com.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-10-03 10:36 PM
In response to PhoneBoy
Jump to solution

Would it be even possible to upgrade R77.30 to R80.40 (middle step) if there is issue with InternalCA ? Is PUV checking also state of ICA and will report error/warning in such a case?

Kind regards,
Jozko Mrkvicka
0 Kudos
Denis
Explorer
‎2023-10-04 12:27 AM
In response to JozkoMrkvicka
Jump to solution

Hi Jozko!

We're certainly considering it, but it's still very difficult. We migrated all domains to the environment with the new version, there is only one left, and it is on old hardware. So this is not a desirable option. I can't answer the second question, I don't know what PUV means?

Best Regards, Denis

Best Regards, Denis
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-10-04 07:01 AM
In response to Denis
Jump to solution

PUV means "Pre-Upgrade Verifier" and it should be run in case you want to upgrade management to higher GAIA version. It will check the database and generate report if the upgrade to desired version will be smooth, or there are any warning/error which should be taken into account before upgrade.

Kind regards,
Jozko Mrkvicka
0 Kudos
Denis
Explorer
‎2023-10-04 01:12 PM
In response to JozkoMrkvicka
Jump to solution

Hi Jozko!

Thanks for the clarification, well then I've already answered, it's not possible to update.

Best Regards, Denis

Best Regards, Denis
0 Kudos
Denis
Explorer
‎2023-10-04 12:24 AM
In response to PhoneBoy
Jump to solution

Thank you PhoneBoy for providing the information. Could you please post the number of this article? I will try to request it from TAC.

Best Regards, Denis

Best Regards, Denis
0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-04 08:28 AM
In response to Denis
Jump to solution

There's an internal SK (can be requested from TAC): sk12266.
It involves deleting a bunch of files and making changes to objects_5_0.C (removing all the certificates and references to them).

0 Kudos
Denis
Explorer
‎2023-10-04 01:13 PM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy!

Oh, thank you so much!

Best Regards, Denis

Best Regards, Denis
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-10-08 03:00 PM
In response to Denis
Jump to solution

Im not at home as I write this response, but I can send you the process, as I have it.

Andy

0 Kudos
Denis
Explorer
‎2023-10-09 12:04 AM
In response to the_rock
Jump to solution

Thank you Andy!

This process was provided to me by TAC.

Best Regards, Denis
0 Kudos
Denis
Explorer
‎2023-10-09 12:02 AM
In response to Denis
Jump to solution

Hi all!

My problem was solved, thanks to the sk PhoneBoy pointed out. I would like to thank you again! Thank you all for your participation and help!

Best regards, Denis

Best Regards, Denis
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events