This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
constant69
Contributor
2 weeks ago
Jump to solution

What could be the impacts if, in the Gateway platform field, we select the wrong hardware type ?

Hello Team,

What could be the impacts if, in the Gateway platform field, we select the wrong hardware type?

I’m asking this because I suspect that this might have been the cause of a VPN issue we faced last week.

Here are the details of the issue

-The customer has a fleet of 3600 appliances (in standalone mode) spread across 20 sites, all managed by a SmartCenter running R82.
- A VPN community has been set up with all the sites.
- 10 days ago, at one of the sites, for testing purposes, the customer replaced a 3600 with a 3900: they used the same hostname, reset the SIC, and kept the VPN certificate. However, the client forgot to change the "hardware type" (Information I received afterwards). After this operation, everything worked fine.
- 10 days later, at the site with the 3900, there was an Internet access issue. Once Internet access was restored, none of the VPNs were working at that site: Phase 1 established, but Phase 2 did not.
- A ticket was opened with CheckPoint support, debug logs were analyzed, but no conclusive data helped detect the root cause of the incident: we even had inconsistencies in the logs (for example, errors regarding the VPN community and the shared secret, even though it wasn’t being used).
- After half a day of investigation, we swapped back the 3600 appliance, but the problem remained the same.
- Since we had no leads on how to resolve the issue, support recommended several actions, including renewing the VPN certificate on the Gateway, even if the certificate wasn’t expired. This action ultimately resolved the issue.

Renewing the VPN certificate on the SmartCenter showed that the certificate was the root cause of the problem, regardless of the appliance used (3600 or 3900).

Therefore, after the issue was resolved, I am now trying to find any elements that could have caused the corruption of the certificate on the SmartCenter.

When CheckPoint support analyzed the debug logs, there were no specific logs indicating a certificate or CRL issue.

 

Thank for your help

 

Regards

Labels
0 Kudos
3 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
Jump to solution

Mostly it is the "version" field that we might be a wary of (might prevent policy install if mismatched) but I'm not sure this is relevant to your problem either as you've indicated CRL/cert issues.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

I agree with Chris 100%. I would be shocked if selecting wrong hardware in that field would ever cause any issues, not at least that Iad seen. Any relevant logs/captures you can send related to this issue?

Btw, what was that vpn certificate date showing, do you recall?

Best,
Andy

View solution in original post

0 Kudos
Lesley
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

To find the root cause, check the errors in this sk if they match what you experienced. 

https://support.checkpoint.com/results/sk/sk108966

https://support.checkpoint.com/results/sk/sk115360

If these logs are not there anymore it is difficult to find the cause. 

Hardware type is not the issue I think. Back in the day, it could impact policy push if you do not select the correct device type. For example if you had a VPN-edge (ancient hardware now) and select something else you cannot push policy. If you select the correct device type the correct files are loaded on the mgmt system for the policy push. 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
Jump to solution

Mostly it is the "version" field that we might be a wary of (might prevent policy install if mismatched) but I'm not sure this is relevant to your problem either as you've indicated CRL/cert issues.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

I agree with Chris 100%. I would be shocked if selecting wrong hardware in that field would ever cause any issues, not at least that Iad seen. Any relevant logs/captures you can send related to this issue?

Btw, what was that vpn certificate date showing, do you recall?

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

To find the root cause, check the errors in this sk if they match what you experienced. 

https://support.checkpoint.com/results/sk/sk108966

https://support.checkpoint.com/results/sk/sk115360

If these logs are not there anymore it is difficult to find the cause. 

Hardware type is not the issue I think. Back in the day, it could impact policy push if you do not select the correct device type. For example if you had a VPN-edge (ancient hardware now) and select something else you cannot push policy. If you select the correct device type the correct files are loaded on the mgmt system for the policy push. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

Hey, btw, just curious, did you ever have TAC case open for this or its just something you guys did, for the certificate renewal?

Best,
Andy
0 Kudos
fredlubrano
Participant
Monday
In response to the_rock
Jump to solution

Hello everyone,

Thank you for your feedback. Together with the client and Check Point support, we have stopped the investigations: we (Support CheckPoint and us) know that the VPN certificate was corrupted, but we were unable to identify the reasons why it became corrupted
Lesley, thank you for the SKs (108966 & 115360).
The Rock, as I mentioned in the post description, we opened a ticket with Check Point support, and the solution to reset the VPN came from Check Point support.
Have a great day, everyone.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events