Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Markus_Heckl
Explorer

Renewal of ICA on management server (internal_ca)

Dear all,

we have a critical case with the renewal of the ICA on a R81 (JHF Take 44) management server. It expires on this Sunday morning (5th December).

We have contacted Check Point as suggested in sk158096 and they provided a script (ICA_renewal_V6.sh) to renew the ICA. The renewal itself was successful but the management server now reports the following error:

"Security Management Server CA is not running"

When using cpca_client command the following is shown:

# cpca_client lscert
Operation failed. rc=-1.

The cpca daemon is running but it seems that the server cannot access its own internal CA.

Anyone ever has renewed a ICA or has a similar issue with that procedure?

Maybe it will be possible to completely delete and recreate the ICA. But I am not able to find a guideline for it.

This is a critical case because the environment will stop working (S2S VPN, RAS) when the expire date is reached.

In the meanwhile we also upgraded to R81.10 (JHF Take 9) but still the same issue. At the moment there is also a critical task at R&D.

Many thanks for any hint.

Markus Heckl

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

ICA corruption is one of those things you definitely need TAC assistance with.
I believe the command to reset the ICA entirely (note breaks all SIC trusts) is: fwm sic_reset

0 Kudos
the_rock
Champion
Champion

0 Kudos