Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tng_aik_hong
Participant

unable to sign in checkpoint smart dash board

Hi all,

i have created a VM checkpoint in the VMware for testing. but i could not sign in to checkpoint smart dash board.

i have register the licenses in the checkpoint already.

i have done the following troubleshoot steps

change the date and time in checkpoint gui and laptop

stop and start the firewall service in cli 

i wanted to test this specific version of checkpoint in the vm test environment

below are my specification, 

i don't want to upgrade the version, please help

16 Replies
Maarten_Sjouw
Champion
Champion

Have you run sysconfig/mdsconfig to add a admin and a gui-client? If so then read on.

I ran into similar issues with the R75.40 (non VS). Best thing to do is to re-image the VM and BEFORE you run the FTW (GAIA) or while running sysconfig set the date back to 01-01-2016.

After that finish your installation and you will find that when you update all mdsconfig settings that need to be set you will be fine.

Regards, Maarten
0 Kudos
Vincent_Bacher
Advisor
Advisor

I had a similar issue few month ago with R77.30 and found sk122612.

Cause

The issue is relevant to the below scenarios:

  1. Upon clean install of Security Management / Standalone / Multi-Domain Server R77.30 or below after January 24th 2018.
  2. Upon adding CMA on Multi-Domain Server below 77.30 Jumbo Hotfix take 143 (Inlcuding previous versions) .

You can check if this is your issue by (re-)creating internal ca. If this fails (Could not create Certificate Authority. General problem in Certificate Authority. Failed to initiate Certificate Authority NOTE: The creation of the certificate failed) this sk may match your Scenario.

In R77.30 the solution was to install recent jumbo. In your R75.40: For R77.20 and below contact Check Point Support to get a solution for this issue. 

But a workaround could be to set the System date prior to January 24th.

Another issue i had in the past when using VM was when assigned not enough RAM.

Cheers
Vincent

P.S.: Maarten was quicker than me Smiley Happy
And: Why does the first screenshot display "security gateway"? Is this a standalone Gateway including Management? If yes, did you try "fw unloadlocal"?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
ED
Advisor

Hi,

Please run through these troubleshooting steps first. It's a well known error.

"Connection cannot be initiated. Make sure server is up and running" error in SmartDashboard

0 Kudos
PhoneBoy
Admin
Admin

Just so you know, this version of code is no longer supported.

You will most likely have to do the initial installation with the system backdated to prior to 24th January 2018, as Vincent Bacher‌ suggests.

Once the ICA is initialized, you can set the date forward appropriately.

0 Kudos
tng_aik_hong
Participant

hi,

i have changed the date backward to 2017 for checkpoint and my laptop and the ca was registered succesfully and the finger print in the cli say it communicating.my problem is both of this has been register while i changed the backward date. but when i play around with the cpstop and cpstart

cpstop giving me the error unable to initialte

and cpstart give me the error your trial period is expired

0 Kudos
Vincent_Bacher
Advisor
Advisor

Hello,

well, in this case you have to either stay on the old date or first attach a license, i assume.

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin

That's because the 15-day plug-n-play eval license is based on the date the initial CA was created.

When you set the date forward, you are past those 15 days Smiley Happy

You can request a 30-day evaluation in UserCenter free of charge from the menu Try Our Products > Try Our Products > Product Evaluation.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I do see no use in testing this outdated & unsupported version at all, i must admit Smiley Sad

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vincent_Bacher
Advisor
Advisor

Sure. Maybe there are other reasons than testing

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Hue_hue
Explorer

I do this to test a specific upgrade scenario...because you kind of have to if you want an error free day

0 Kudos
tng_aik_hong
Participant

Hi all,

i have done the license again and this time, it is able to capture in the gui, but im still unable to sign in to the smart dash board, i got the error "authentication to server 10.85.186.153 failed"

0 Kudos
Vincent_Bacher
Advisor
Advisor

Hello,

don't have a solution in mind but you may debug fwm as per sk86186

See instructions below.

Then have a look at fwm.elg 😉

Cheers

Procedure:

  1. On SecurePlatform OS R75.10 and lower: Disable log rotation per Solution sk52120:

    [Expert@Hostname]# /bin/log_start list | grep fwm
    [Expert@Hostname]# /bin/log_start unlimit 35
    [Expert@Hostname]# /bin/log_start list | grep fwm

  2. Add a mark to the log file:

    [Expert@Hostname]# echo "=debug_start=" >> $FWDIR/log/fwm.elg

  3. Start the FWM debug:

    [Expert@Hostname]# fw debug fwm on TDERROR_DBG_OPT=time,host,prog,topic,pid,tid
    [Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5
    [Expert@Hostname]# fw debug fwm on OPSEC_DEBUG_LEVEL=3

    Notes:

    • For MGMT HA debugging, on both Management machines also run:
      [Expert@HostName]# fw debug fwm on TDERROR_ALL_MGMTHA=5

    • In case of policy installation, the TDERROR_ALL_ALL=5 can be replaced with two more focused debugs -
      TDERROR_ALL_INSTMGR=5andTDERROR_ALL_INSTMGRFN=5:
      instead of
      [Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5
      run
      [Expert@Hostname]# fw debug fwm on TDERROR_ALL_INSTMGR=5
      [Expert@Hostname]# fw debug fwm on TDERROR_ALL_INSTMGRFN=5

  4. Replicate the problem.

  5. Stop the FWM debug:

    [Expert@Hostname]# fw debug fwm off TDERROR_ALL_ALL=0
    [Expert@Hostname]# fw debug fwm off OPSEC_DEBUG_LEVEL=0

    Note:

    • If MGMT HA debugging was started, then on both Management machines also run:
      [Expert@HostName]# fw debug fwm off TDERROR_ALL_MGMTHA=0

  6. Add a mark to the log file:

    [Expert@Hostname]# echo "=debug_stop=" >> $FWDIR/log/fwm.elg

  7. On SecurePlatform OS R75.10 and lower: Re-enable log rotation per Solution sk52120:

    [Expert@Hostname]# /bin/log_start list | grep fwm
    [Expert@Hostname]# /bin/log_start limit   35   1048576   4
    [Expert@Hostname]# /bin/log_start list | grep fwm

  8. Send the following files to Check Point Support for analysis:

    1. CPinfo file from the Security Management Server collected with the latest version of CPinfo utility from sk92739

      Note: On Provider-1 Server / Multi-Domain Server, collect the CPinfo file from both
      • the context of MDS
      • the context of relevant CMA / Domain

    2. Log files:

      • $FWDIR/log/fwm.elg*
      • $CPDIR/log/cpwd.elg*
      • /var/log/message*

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
tng_aik_hong
Participant

Hi,

i have try the above following debug session, but it mention the license version might be not compatible 

0 Kudos
PhoneBoy
Admin
Admin

The current eval licenses contain feature strings that are not valid in R75.40VS.

Those errors can be safely ignored.

Let's start with more basic things:

  • Is the fwm process even running? Something like a ps -auxw | grep fwm should validate this.
  • Have you specified the correct IP address (or any) in cpconfig as a GUI client?
  • Have you defined an administrator (with the correct password) via cpconfig?

Even if you've think you've done all these, it's worth checking/defining again.

0 Kudos
tng_aik_hong
Participant

Hi,

  • Is the fwm process even running? Something like a ps -auxw | grep fwm should validate this.
  • i got the following error message 
  • Have you specified the correct IP address (or any) in cpconfig as a GUI client?
  • Have you defined an administrator (with the correct password) via cpconfig?
0 Kudos
Vincent_Bacher
Advisor
Advisor

You misunderstood a bit. 

ps command without the fwm in front of if

And gui clients in cpconfig. Or the addresses may listed by

cat $FWDIR/conf/gui-clients

as well 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events