Hello Sir,

yes it is the same server as before, i've just installed a later smart console release. I'll put another client into my upgrade environment and try

Hello,

i've just cloned another windows client and with the portable smartconsole it's exactly the same

Just verified the clocks on the clients match the mgmt server. Anyone have any ideas before i go to the TAC ?

Many thanks

This is an older SK but perhaps one of the ciphers was changed or disabled:

"Could not establish secure channel for SSL/TLS with authority << MGMT-IP >>:19009" error message when users try to connect to MDS or Security Management with SmartConsole

https://support.checkpoint.com/results/sk/sk121353 

Hello Sir,

I checked and all the policies are set to 'not configured' and even setting the system tls settings to allow TLS1.1/1.0 and no difference. Looking with Wireshark, TLS is working as I get prompted to accept the new server key, and then it fails, so i see a TLS encrypted session all the way.  So I assume it is in the cert itself.

Ian

Do you have a screenshot of the ssl cert error when trying to log in?

Andy

Hello Andy,

All the client returns is 'Authentication failed', the screenshot above is the only error I've found, which is from the log of the smartconsole client.

Hello Chris,

nothing has been applied since the upgrade. I can see there is a slightly newer smart console released on 30th of July, so I will also use that. And Take 24 for R81.20 has come out since i downloaded the release, though it doesn't necessarily cover this issue, I will also deploy that and report back.

Thanks

Ian

Hello All,

neither the HFA or the later client have resolved the issue, so I will move to the TAC.

Thanks for the help

Ian

Oddly, I got one of my colleagues to try and his account works. Mine does not. I set up a new account with the same name as mine suffixed with a 2. Does not work, got my colleague to set the password on the new account to something similar to his, still does not authenticate. The account I created via CPConfig at the cli does work though.  Most peculiar.

Maybe it's something to do with the format of the login name ?

just fyi, Never got to the bottom of this, mine was the only account affected. So I just created a new account. Odd, but unexplained.

That is indeed super odd. Just curious, does that old account still exist? If so, is problem still present?

Andy

Hi Andy,

Indeed it did, but even resetting the password would not work. So i just deleted it in the end and created a new one with a slightly different name, as I wasn't sure where the problem lay.

Ian

I hear ya brother, if we all had dedicated person to troubleshoot those things, then maybe it would be better...lol. At the end, just easier and more practical to solve it with a simple step.

Andy

This worked, thanks!

After I updated the password of an existing local account - that one started working too.

However any of the RADIUS ones are still failing even after re-creating a user. Anything else I could try for those?

What do you mean for RADIUS user? Do they get any prompt/error?

Andy

By RADIUS users I mean the ones using external server for authenticating, they are configured in SC alongside the local ones. The error is the same "Authentication to server failed". The auth servers' configuration was not changed after upgrade

For that Im not 100% sure just off the top as they say...you would need to maybe do some further debugs to figure out why or get TAC to help via remote session. Obviously, make sure radius server is communicating properly first. 

Andy

Please note R81.20 isn't listed as supported for Smart-1 225 which also reaches it's End of Support this month.

Refer: https://www.checkpoint.com/support-services/support-life-cycle-policy/#smart-1

Correct, we noticed it in the support matrix after we bumped from 81.10 to 81.20 which was suggested as "recommended". We are currently giving it a try in Staging area with potential rollback to 81.10