This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
socteam_gsi
Participant
‎2021-04-10 05:34 AM
Jump to solution

Not able to renew the defaultcert on firewall

Hello ,

 

We are not able to renew/ view the defaultcert on the firewall .

 

When we are going to view the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> view

error message : Failed to read the certificate from database 

 

When we are going to renew the default cert we are getting attached error :

Gateway object >> IPsec VPN >> click on the defaultcert >> renew >> generated keys and get internal certificate >> OK

error message : generated keys not found in the database .

 

We come to know this issue when tunnel was not forming between two checkpoint gateways connected on the same management server . In the logs , We were able to see that due to certificate error  phase1 key not installed .

Please note that SIC is established with mgmt server and ntp working porperly .

 

Can someone assist me on this !!!

 

ipsec phase1 error message.JPGdefaultcert view error message.JPGdefaultcert renewal error message.JPG

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-04-11 08:46 PM
In response to socteam_gsi
Jump to solution

This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:

Assuming that works, you can then delete the old object (hopefully). 

But, like I said, I recommend engaging with the TAC.

View solution in original post

5 Replies
genisis__
Leader Leader
Leader
‎2021-04-10 06:06 AM
Jump to solution

Check sk108966, sounds like a corruption in the ICA.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-10 09:48 AM
Jump to solution

That sounds like ICA corruption and I’d get the TAC to assist here.

0 Kudos
socteam_gsi
Participant
‎2021-04-11 06:26 AM
In response to PhoneBoy
Jump to solution

could you please assist us on how to proceed this issue .

Since , there are 18 firewalls which are connected to same management server but we are facing only issue to single firewall hence we are suspecting this issue is more related to firewall end or certificate related issue .

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-11 08:46 PM
In response to socteam_gsi
Jump to solution

This is entirely in the domain of the ICA.
It's possible TAC may have a more surgical answer than "reset the ICA."
The only thing that occurs to me to try (which may not work and involve downtime) is:

Assuming that works, you can then delete the old object (hopefully). 

But, like I said, I recommend engaging with the TAC.

the_rock
Legend
Legend
‎2021-04-10 09:00 PM
Jump to solution

Definitely looks like ICA corruption...I cant say for sure if sk genesis provided is any better than doing fwm sic_reset, but looks to me its what you sadly have to follow. I cant see any better options here mate, sorry...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events