Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
socteam_gsi
Participant

Not able to renew the defaultcert on firewall

Jump to solution

Hello ,

 

We are not able to renew/ view the defaultcert on the firewall .

 

When we are going to view the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> view

error message : Failed to read the certificate from database 

 

When we are going to renew the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> renew >> generated keys and get internal certificate >> OK

error message : generated keys not found in the database .

 

We come to know this issue when tunnel was not forming between two checkpoint gateways connected on the same management server . In the logs , We were able to see that due to certificate error  phase1 key not installed .

Please note that SIC is established with mgmt server and ntp working porperly .

 

Can someone assist me on this !!!

 

ipsec phase1 error message.JPGdefaultcert view error message.JPGdefaultcert renewal error message.JPG

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:

Assuming that works, you can then delete the old object (hopefully). 

But, like I said, I recommend engaging with the TAC.

View solution in original post

5 Replies
genisis__
Advisor

Check sk108966, sounds like a corruption in the ICA.

0 Kudos
PhoneBoy
Admin
Admin

That sounds like ICA corruption and I’d get the TAC to assist here.

0 Kudos
socteam_gsi
Participant

could you please assist us on how to proceed this issue .

Since , there are 18 firewalls which are connected to same management server but we are facing only issue to single firewall hence we are suspecting this issue is more related to firewall end or certificate related issue .

 

0 Kudos
PhoneBoy
Admin
Admin

This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:

Assuming that works, you can then delete the old object (hopefully). 

But, like I said, I recommend engaging with the TAC.

View solution in original post

the_rock
Advisor

Definitely looks like ICA corruption...I cant say for sure if sk genesis provided is any better than doing fwm sic_reset, but looks to me its what you sadly have to follow. I cant see any better options here mate, sorry...

0 Kudos