- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Not able to renew the defaultcert on firewall
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not able to renew the defaultcert on firewall
Hello ,
We are not able to renew/ view the defaultcert on the firewall .
When we are going to view the default cert we are getting attached error :
Gateway object >> IPsec VPN >> click on the defaultcert >> view
error message : Failed to read the certificate from database
When we are going to renew the default cert we are getting attached error :
Gateway object >> IPsec VPN >> click on the defaultcert >> renew >> generated keys and get internal certificate >> OK
error message : generated keys not found in the database .
We come to know this issue when tunnel was not forming between two checkpoint gateways connected on the same management server . In the logs , We were able to see that due to certificate error phase1 key not installed .
Please note that SIC is established with mgmt server and ntp working porperly .
Can someone assist me on this !!!
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:
- Change the gateway name and object main IP to something else.
- Create a new gateway object for the gateway in question, migrating all the relevant settings.
- Use "where used" to find occurrences of old gateway object and replace with new.
- Reset SIC on the impacted gateway: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Push policy
Assuming that works, you can then delete the old object (hopefully).
But, like I said, I recommend engaging with the TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check sk108966, sounds like a corruption in the ICA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds like ICA corruption and I’d get the TAC to assist here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you please assist us on how to proceed this issue .
Since , there are 18 firewalls which are connected to same management server but we are facing only issue to single firewall hence we are suspecting this issue is more related to firewall end or certificate related issue .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:
- Change the gateway name and object main IP to something else.
- Create a new gateway object for the gateway in question, migrating all the relevant settings.
- Use "where used" to find occurrences of old gateway object and replace with new.
- Reset SIC on the impacted gateway: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Push policy
Assuming that works, you can then delete the old object (hopefully).
But, like I said, I recommend engaging with the TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Definitely looks like ICA corruption...I cant say for sure if sk genesis provided is any better than doing fwm sic_reset, but looks to me its what you sadly have to follow. I cant see any better options here mate, sorry...
