This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
MVP Silver
MVP Silver
‎2023-08-22 02:23 AM
Jump to solution

Advice on new management IP for Spark 1500

1530, centrally managed, R81.10.05.

 

The Spark is behind a local router with a fixed public IP and is centrally managed by a SMS in another country behind a Quantum cluster. The Spark has a private IP as External interface and all NAT have been configured.

A VPN to that cluster has worked for a long time until the central site moved to a new public IP range.

The connection to the SMS has been reinitialised on the Spark to get the new management IP and even SIC has been reset, policy installation work and the timestamps match. However the Spark doesn't seem to send logs anymore and I still see ICA_Services to the old public IP.

A VPN that was done to the central site doesn't work anymore. The central site shows the VPN as up but the Spark has only Phase 1 with No Outbound SA for Phase 2. 

I've started a TAC SR but wondered if there was an any experience that could be shared here short of factory default the box. 🙂

 

Long story short, for the Quantum: Key install successful, methods Group 19, certificates, PFS and the like. Now on the Spark: IKE Error but the traffic arrives on the system.

0 Kudos
1 Solution

Accepted Solutions
4 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-08-22 02:46 AM
Jump to solution

https://support.checkpoint.com/results/sk/sk176564

https://support.checkpoint.com/results/sk/sk180935

https://support.checkpoint.com/results/sk/sk181315

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Alex-
MVP Silver
MVP Silver
‎2023-08-22 03:41 AM
In response to G_W_Albrecht
Jump to solution

Thanks Guenther, editing $FWDIR/conf/masters did the trick. This file doesn't get updated when the renegotiation to the new public NAT of the SMS shows as successful. Now logs and the VPN started working again.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-08-22 03:58 AM
In response to Alex-
Jump to solution

Glad to hear ! Did you test policy install, that could overwrite masters file with wrong information...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2023-08-22 04:16 AM
In response to G_W_Albrecht
Jump to solution

Apart from the public IP change, this 1500 has a very static policy and they're now all in the office managing the shipping of goods all over the German sphere of influence and I won't be the one disrupting that. 😄

But thanks for the tip, I will arrange a maintenance window with the customer later on.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events