Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PAVEL_PETROV1
Participant

Problem with cluster access 75.40 VS

Problem with cluster access 75.40 VS. Tell me what to do to fix? Never faced such

9 Replies
AlekseiShelepov
Advisor

I suspect that it cannot renew the certificate:

Can't connect to managerment server via smart dashboard

Try to check dates for the current ones with cpca_client lscert.

0 Kudos
Maarten_Sjouw
Champion
Champion

This is a known problem with the Epoch date, the certificate created during install is not valid as it laying past the epoch date, on the command line set the date to a date before feb 1 2018 and you will be able to logon.

Regards, Maarten
0 Kudos
PAVEL_PETROV1
Participant

Thanks for the advice, colleagues. Yes, that's what I do to access the management server - I roll back the time on the computer. But that's not right. How to solve the problem?

0 Kudos
AlekseiShelepov
Advisor

The issue is not on your computer, but on the management server, with it's certificate. Maarten suggested to change date on the management server.

Also, I suspect that changing date on the management server and leaving it like that might affect in some other not pleasant issues later.

The parameter "Management Tool User Certificate Validity Period" in the ICA Tool represents the amount of time that a user certificate is valid when initiated using the Management Tool.

If the value of this parameter is set to "7300" days (20 years), the CA will not able to add the "not valid after" field of the ToBeSigned certificate created from a template.

Starting on January 2018, the "not valid after" field will exceed the maximum Unix epoch time (January 19, 2038). Due to this, Check Point is setting the certificate expiration date to be equal to the maximum Unix epoch time.

You can try contacting Check Point Support. This software version is not supported, but maybe they can provide you with a hotfix or tell which actions can you take to temporary fix it.

0 Kudos
PAVEL_PETROV1
Participant

Yeah, already. They never offered me a solution. Therefore, I decided to ask my colleagues for advice.

0 Kudos
PAVEL_PETROV1
Participant

Good day everyone. Problem solved. Everything in order. Did the following: 1. Removed the backup from the current configuration and deployed the layout to the virtual machine. 2. Rolled back on the server time ago and tried to make a new internal certificate. 3. The new certificate was successfully released, but when it was transferred to the cluster, the initial error appeared again. 4. Reinstalled completely software and thought that the internal certificate will be generated new. 5. Again the original mistake.                                                                                            Conclusion: this is a software glitch 75.40, which the manufacturer does not want to eliminate. Support for the manufacturer disappointed, did not offer a solution to the problem.                                                                                                        If you encounter this problem, do not even try to spend time on the rehabilitation of the software, but rather update. I am disappointed that I spent a lot of time and did not get information about this in the technical support. Updated to 77.10.

0 Kudos
AlekseiShelepov
Advisor

Pavel, please try to understand the issue and reasons for it in a bit more depth.

1) This issue is not only with older Check Point software, but also with Unix (on which Check Point software is based) itself. New certificates that are generated on Check Point should be valid for 20 years, which exceeds 19 Janary 2038. The same would happen on all versions up to R77.30 without hotfixes, new installation would not help.

Unix time - Wikipedia 

Connectivity between SmartDashboard and Security Management Server R77.30 and below fails on fresh i... 

2) You are using old software, which is not supported for a long time now (from July 2016). Maybe you have some separate agreement between your company and the vendor, which states that they will fully support it?

Support Life Cycle Policy 

3) Now you updated to R77.10, which is also not supported from August 2017. Do you have requirements with GOST or certifications to use these versions? Would be better to upgrade to R77.30 with Jumbo Hotfix.

PAVEL_PETROV1
Participant

Hello Aleksei.

Alexey, believe me, I have not slept for almost a week, because I could not manage politicians on my firewall.

I also do not understand why the certificate gave me an error, because it was valid until 2033, it was evident from the properties of the certificate. 

I switched to version 77.10, because I need a GOST license to organize VPN tunnels.

Thank you very much For your advice and support

Do you think 77.30 would be better? Just for this version of the license for encryption GOST is not provided

AlekseiShelepov
Advisor

Well, R77.30 with Jumbo Hotfix version is very good and stable in my opinion. X.30 is basically a bunch of hotfixes installed on top of X.10, and Jumbo Hotfixes closes much more issues and vulnerabilities. Of course, better to update to R80.20 already.

The main difficulty here is the GOST package, it adds much more headache usually. I don't know for which version it is supported nowadays, I didn't work with it for a long time. I believe that R77.30 doesn't have GOST, as you said. But R77.10 is not supported already, so I am not sure how Check Point handles this situation. Maybe the next GOST would be for R80.10, at least the certification was planned for it some time ago.

You can confirm it in this cozy Telegram chat - Telegram: @chkpchat  (Russian language).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events