This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosmos
Advisor
‎2021-07-01 04:15 AM

Windows 10 21H1 won't connect to R80.40 SMS

I've just built a fresh R80.40 management server with HFA take 94, to replicate a customer issue.

To run the fat client I'm running Windows 10 21H1. I have the latest SmartConsole build installed, and get the following error on connection to the manager:

An error occurred while making the HTTP request to https://<server>:19009/cpmws/LoginSvcRemote?wsdl . This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

Following sk169253 scenario 1 I can confirm the client machine indeed supports the ciphers:

PS C:\Users\admin> get-TlsCipherSuite | findstr "ECDHE_RSA_WITH_AES_128_GCM_SHA256"
Name         : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Following scenario 2, I found multiple certs on the manager and followed the instructions to revoke/recreate. Issue still occurs.

Scenario 3 doesn't apply - the client sends a TLS 1.2 hello and gets a TCP RST from the SMS.

I've rebuilt the SMS several times now, thinking of rolling HFA take 118 but I don't see this specific issue as fixed.

Has anyone else seen this?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-07-01 11:58 AM

If you haven’t opened a TAC case it might be a good idea to do so.
Wonder if debugging cpm might explain what’s going on: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
genisis__
Leader Leader
Leader
‎2021-07-02 03:36 AM

Its probably worth going to JHFA118, TAC will very likely ask if your running the latest GA release, additionally are you running the latest SmartConsole build.

Run SCConfigManager.exe > enable option 3 > replicate issue > disable option 3, take the logs and send to TAC as well.  This may also help them.

by any chance have you locked down the ciphers/TLS versions to use on the SMS? 

0 Kudos
cosmos
Advisor
‎2021-07-04 06:52 PM

I couldn't replicate the issue in a clean lab with 21H1 and R80.40 directly connected. After some digging we found another vendor's firewall in the service chain blocking the connection even though the rule was any/any, apparently due to an application enforcement (https not allowed on tcp/19009).

How embarrassing!

Thanks for your help guys.

0 Kudos
genisis__
Leader Leader
Leader
‎2021-07-05 01:05 AM
In response to cosmos

Main thing is that the issue is resolved!

0 Kudos
yogeshtaneja
Explorer
‎2023-04-05 10:10 PM
In response to genisis__

how did this resolved i am also facing the same

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-05 10:31 PM
In response to yogeshtaneja

As above traffic was allowed on an intermediary firewall.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events