Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ibrown
Participant
Jump to solution

R81.20 smartconsole cannot login after upgrade

Hello All,

 

i've been doing a test upgrade of a mgmt server install, and r77.30 to R80.40 worked perfectly, could still authenticate, and push policies, I then moved to R81.20 take 631, and whilst I can login to the web gui of the mgmt server, I cannot login via the smart console, it just returns authentication failed after asking me to trust the new build. This is a windows client with the r81.20 console.

The log in <users>\appdata\checkpoint\r81.20\smartconsole shows an SSL certificate error, but the one on the web gui is still valid in terms of time.

 

Any thoughts ?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Thats easy to fix...just create new account via cpconfig menu, just add new administrator, does not need reboot at all, not even cpstop; cpstart

Andy

View solution in original post

0 Kudos
23 Replies
Tal_Paz-Fridman
Employee
Employee

Is it from the same desktop machine you used before to login?

Can you try from a different machine with a Portable SmartConsole?

0 Kudos
ibrown
Participant

Hello Sir,

yes it is the same server as before, i've just installed a later smart console release. I'll put another client into my upgrade environment and try

 

0 Kudos
ibrown
Participant

Hello,

i've just cloned another windows client and with the portable smartconsole it's exactly the same

 

cp_smartconsole_invalid_cert.png

Just verified the clocks on the clients match the mgmt server. Anyone have any ideas before i go to the TAC ?

Many thanks

0 Kudos
Tal_Paz-Fridman
Employee
Employee

This is an older SK but perhaps one of the ciphers was changed or disabled:

"Could not establish secure channel for SSL/TLS with authority << MGMT-IP >>:19009" error message when users try to connect to MDS or Security Management with SmartConsole

https://support.checkpoint.com/results/sk/sk121353 

0 Kudos
(1)
ibrown
Participant

Hello Sir,

I checked and all the policies are set to 'not configured' and even setting the system tls settings to allow TLS1.1/1.0 and no difference. Looking with Wireshark, TLS is working as I get prompted to accept the new server key, and then it fails, so i see a TLS encrypted session all the way.  So I assume it is in the cert itself.

Ian

0 Kudos
the_rock
Legend
Legend

Do you have a screenshot of the ssl cert error when trying to log in?

Andy

0 Kudos
ibrown
Participant

Hello Andy,

All the client returns is 'Authentication failed', the screenshot above is the only error I've found, which is from the log of the smartconsole client.cp_smartconsole_auth_failure.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Have you made any progress on this issue since and what Jumbo (JHF) is applied to the Management?

CCSM R77/R80/ELITE
0 Kudos
ibrown
Participant

Hello Chris,

nothing has been applied since the upgrade. I can see there is a slightly newer smart console released on 30th of July, so I will also use that. And Take 24 for R81.20 has come out since i downloaded the release, though it doesn't necessarily cover this issue, I will also deploy that and report back.

Thanks

Ian

0 Kudos
ibrown
Participant

Hello All,

 

neither the HFA or the later client have resolved the issue, so I will move to the TAC.

Thanks for the help

Ian

0 Kudos
ibrown
Participant

Oddly, I got one of my colleagues to try and his account works. Mine does not. I set up a new account with the same name as mine suffixed with a 2. Does not work, got my colleague to set the password on the new account to something similar to his, still does not authenticate. The account I created via CPConfig at the cli does work though.  Most peculiar.

Maybe it's something to do with the format of the login name ?

 

0 Kudos
ibrown
Participant

just fyi, Never got to the bottom of this, mine was the only account affected. So I just created a new account. Odd, but unexplained.

0 Kudos
the_rock
Legend
Legend

That is indeed super odd. Just curious, does that old account still exist? If so, is problem still present?

Andy

0 Kudos
ibrown
Participant

Hi Andy,

Indeed it did, but even resetting the password would not work. So i just deleted it in the end and created a new one with a slightly different name, as I wasn't sure where the problem lay.

Ian

0 Kudos
the_rock
Legend
Legend

I hear ya brother, if we all had dedicated person to troubleshoot those things, then maybe it would be better...lol. At the end, just easier and more practical to solve it with a simple step.

Andy

0 Kudos
Ellyo
Explorer

Hi,

I'm having the exact same problem logging in to the Manager, "Authentication to server failed" in SmartConsole. Same version, 81.20, recently upgraded. Installed via Blink, JHF T26 (2023-08-09). Hardware is Smart1-225.

I am able to use the local account to log in via Web or SSH, but not through SC. Tested also with a newly created local account, still unsuccessful. Rebooting did not help.

Any ideas?

0 Kudos
the_rock
Legend
Legend

Thats easy to fix...just create new account via cpconfig menu, just add new administrator, does not need reboot at all, not even cpstop; cpstart

Andy

0 Kudos
Ellyo
Explorer

This worked, thanks!

After I updated the password of an existing local account - that one started working too.

However any of the RADIUS ones are still failing even after re-creating a user. Anything else I could try for those?

0 Kudos
the_rock
Legend
Legend

What do you mean for RADIUS user? Do they get any prompt/error?

Andy

0 Kudos
Ellyo
Explorer

By RADIUS users I mean the ones using external server for authenticating, they are configured in SC alongside the local ones. The error is the same "Authentication to server failed". The auth servers' configuration was not changed after upgrade

0 Kudos
the_rock
Legend
Legend

For that Im not 100% sure just off the top as they say...you would need to maybe do some further debugs to figure out why or get TAC to help via remote session. Obviously, make sure radius server is communicating properly first. 

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please note R81.20 isn't listed as supported for Smart-1 225 which also reaches it's End of Support this month.

Refer: https://www.checkpoint.com/support-services/support-life-cycle-policy/#smart-1

CCSM R77/R80/ELITE
0 Kudos
Ellyo
Explorer

Correct, we noticed it in the support matrix after we bumped from 81.10 to 81.20 which was suggested as "recommended". We are currently giving it a try in Staging area with potential rollback to 81.10

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events