This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-02-28 10:20 AM
Jump to solution

Identity collector "Wrong shared secret"

Hi,

I have tried many times to add my gateway to IDC but still have same problem "Wrong shared secret"

I have tried difficult passwords and easy passwords with same result: "Wrong shared secret"

collector-wrong.JPG

I run a lab environment gateway 81.10:

show version all
Product version Check Point Gaia R81.10
OS build 335
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

 

IDC was downloaded from this link:

https://support.checkpoint.com/results/sk/sk134312

Identity Collector - for Windows OS

collector1.JPG

collector2.JPG

collector3.JPG

install policy and then test in IDC and then same "Wrong shared secret"

 

any  ideas on what is wrong?

Labels
0 Kudos
2 Solutions

Accepted Solutions
Lesley
Authority Authority
Authority
‎2024-02-28 12:42 PM
In response to Moudar
Jump to solution

Follow this sk

https://support.checkpoint.com/results/sk/sk113021

Maybe something simple like closed port between IDC and gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

Moudar
Advisor
‎2024-02-28 01:07 PM
In response to the_rock
Jump to solution

I have now found the problem from the text of sk113021

the machine where IDC is installed "SmartConsole on my case"  was not in there "Authorized Clients"

collector6.JPG

View solution in original post

22 Replies
the_rock
Legend
Legend
‎2024-02-28 11:55 AM
Jump to solution

Never seen that before...I dont think version of IC would matter here. Make sure that everything is checked under authentication settings.

Best,

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:02 PM
In response to the_rock
Jump to solution

collector4.JPG

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:03 PM
In response to Moudar
Jump to solution

Let me check my lab that works.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:07 PM
In response to Moudar
Jump to solution

What version is this? Is the IP you have there correct?

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:08 PM
In response to the_rock
Jump to solution

200.100.0.1 is the virtual IP of the cluster.

version 81.10

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:13 PM
In response to Moudar
Jump to solution

Are you able to ping the firewalls from IC machine?

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:16 PM
In response to the_rock
Jump to solution

10.0.0.2 is the active node

10.0.0.3 is standby

PS C:\Users\shanta> ping 10.0.0.2

Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64
Reply from 10.0.0.2: bytes=32 time=16ms TTL=64
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 16ms, Average = 4ms
PS C:\Users\shanta> ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time=2ms TTL=64
Reply from 10.0.0.3: bytes=32 time=1ms TTL=64
Reply from 10.0.0.3: bytes=32 time=1ms TTL=64
Reply from 10.0.0.3: bytes=32 time<1ms TTL=64

Ping statistics for 10.0.0.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 1ms
0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:19 PM
In response to Moudar
Jump to solution

Is VIP 10.0.0.4? Try that IP instead and see if it works. I mean, try that for gateway object in IC.

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:24 PM
In response to the_rock
Jump to solution

10.0.0.1 tested that, same problem!

collector5.JPG

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:26 PM
In response to Moudar
Jump to solution

Try this...remove the query pool and see if you get same issue. If so, then I would uncheck IA blade, install policy, recheck and teest.

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:33 PM
In response to the_rock
Jump to solution

I did both and still "Wrong shared secret"

I am very confused, I am trying this on my lab only to see if i get same problem as my production, which is that all logs are "failed log in"

but my lab environment refuses!! "Wrong shared secret" 

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:36 PM
In response to Moudar
Jump to solution

And you are 100% positive you are typing the same secret?

Best,

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 12:37 PM
In response to the_rock
Jump to solution

very easy password: vpn123

https://www.youtube.com/watch?v=-CLuxHTewqg

check that video on 2:55, you can see that he had the same problem but found a solution that is not shown on the video

0 Kudos
Lesley
Authority Authority
Authority
‎2024-02-28 12:42 PM
In response to Moudar
Jump to solution

Follow this sk

https://support.checkpoint.com/results/sk/sk113021

Maybe something simple like closed port between IDC and gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂
Moudar
Advisor
‎2024-02-28 12:48 PM
In response to Lesley
Jump to solution

I got Windows firewall disabled for this test sake.

Would you explain: "

  1. "Wrong Shared Secret" occurs when connecting a Security Gateway to Identity Collector if the Authrized Clients object defined within the Gateway Properties on SmartConsole has the wrong IP.

"

What is the "Authrized Clients object"?

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 12:44 PM
In response to Moudar
Jump to solution

So in that case, it was just new shared secret...not sure what else to say, sorry mate : - (. Lets see if Peter Elmer responds to your youtube video comment.

Best,

Andy

0 Kudos
Moudar
Advisor
‎2024-02-28 01:07 PM
In response to the_rock
Jump to solution

I have now found the problem from the text of sk113021

the machine where IDC is installed "SmartConsole on my case"  was not in there "Authorized Clients"

collector6.JPG

the_rock
Legend
Legend
‎2024-02-28 04:12 PM
In response to Moudar
Jump to solution

Ah, gotcha...good job. I just assumed machine you had there was the one where IC was installed.

Glad you got it now.

Best,

Andy

0 Kudos
Lesley
Authority Authority
Authority
‎2024-02-28 01:04 PM
In response to Moudar
Jump to solution

This one is: 

  1. "Wrong Shared Secret" occurs when connecting a Security Gateway to Identity Collector if the Authrized Clients object defined within the Gateway Properties on SmartConsole has the wrong IP. 

Do you see any traffic reaching on the fw? Should be HTTPS

-------
If you like this post please give a thumbs up(kudo)! 🙂
Moudar
Advisor
‎2024-02-28 11:38 PM
In response to Lesley
Jump to solution

The 'Wrong shared secret' error message is misleading in this case. It should be replaced with a message that clearly guides users on how to fix the issue.

(1)
the_rock
Legend
Legend
‎2024-02-29 05:14 AM
In response to Moudar
Jump to solution

I agree 100%, should be more user friendly, or intutitive, if you will.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events