This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosmos
Advisor
‎2021-09-01 12:38 AM

No VS trust after vsx_util reconfigure

Hi all

I've been plagued by an R80.40 MDS vsx_util reconfigure issue in a lab I'm using to replicate a VSX cluster upgrade from R77.30 to new hardware on R80.40 using MCV, hoping the community has some insight.

The issue is reconfiguring the R77.30 gateway, which happens to be running on ESXi as I don't have the hardware to replicate it - the reconfigure process from the R80.40 CMA succeeds, however all virtual devices have no trust and are unable to be reset. The CMA has no SIC certificate for the new gateway virtual device and the result after resetting VS SIC (fw vsx sicrest + hit OK on virtual device in console) is "the certificate is invalid". I don't recall if it resulted in the SIC certificate being recreated on the CMA but this shouldn't be the case for each VS (about 30 in total).

I have some R80.40 physical appliances that the process works with, although I have never had success with virtual appliances reconfiguring from an R80.40 CMA - suggesting I may have an issue with the R77.30 VM. I read some notes regarding ESXi compatibility and have wound the version back to ESXi 5.5 (server is 7.0 U2) on a new gateway VM and in the process of reconfiguring, it takes a very long time despite the resources we throw at the MDS!

What I don't understand is I was able to reconfigure the R77.30 gateways from a restore of the R77.30 MDS and had 2 MDS, 4 VSX gateways (2 clusters) with about 70 VS between them all running on a single GNS3 server. We since upgraded the production MDS and one cluster to R80.40 and took another backup to restore the lab to current state which has led to the SIC issues on running vsx_util reconfigure - against both R77.30 and R80.40 gateways. I moved the whole shooting match to an environment with a high capacity ESXi server and managed to source some 6k series appliances - the reconfigure process worked on the physical gateways again pointing to an issue on the VMs, which appears to have arisen only after the MDS was upgraded to R80.40.

I understand that VSX on VM is not supported, but it should (and does in most cases) work. Any thoughts?

Cheers

Matt

0 Kudos
2 Replies
cosmos
Advisor
‎2021-09-01 12:46 AM

Process failed on the new R77.30 gateway in ESXi 5.5 compatibility mode.

I noticed the CMA has generated NO certificates for any virtual device on the reconfigured (renewable) device, I'm starting to think the issue is with the CMA or internal CA.

Going to renew the internal CA and give it another go...

0 Kudos
cosmos
Advisor
‎2023-03-15 09:51 PM
In response to cosmos

Turned out this was caused by sk178087 on another, completely unrelated gateway...

Specific services still attempting to NAT over route-based VPN tunnel (checkpoint.com)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    CheckMates Events