Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dirk_Casomo
Contributor
Jump to solution

Cannot Connect with SmartConsole to R77.30 or Earlier Management

Why is it my newly installed checkpointR77.iso in vmware  have errorr when connecting using R77 smartconsole in windows server2012 ? the server can ping and access the web UI of both gaia gateway FW and gaia management FW. 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Just to summarize (and mark the answer correct), this is a known issue described in the following SK:

Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Man... 

The TL;DR:

  • On a fresh install of any Check Point version prior to R77.30 with JHF 143, the Internal CA is set with an expiration date 20 years in the future.
  • If done after January 24th 2018, this will result in a date beyond the Unix epoch, which causes this issue.

Workarounds:

  • Use a version unaffected by this issue (R77.30 with JHF 143 and above or R80.10).
  • Get the relevant hotfix for an earlier release from the TAC
  • Prior to starting the installation, backdate the system to a date prior to January 24th 2018.

View solution in original post

25 Replies
PhoneBoy
Admin
Admin

Known issue for all fresh installs of R77.30 prior to Take 143 and lower after January 24th 2018.

Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Man... 

Dirk_Casomo
Contributor

ive tried option

1. Choose 'Certificate Authority' option

2. Press 'y' to initialize the CA

then after there is instruction to run pidof cpca, iver tried not in expert

mode its invalid command, then i tried in expert nothing happens still

cannot be intiated.

On Sun, Feb 11, 2018 at 6:37 AM, Dameon Welch Abernathy <

0 Kudos
PhoneBoy
Admin
Admin

The problem is that by default the CA sets the expiration date to 20 years in the future.

That date is beyond what can be stored by the Unix epoch, which is why you cannot reinitialize the CA.

Which means you either need to:

1. Get the appropriate hotfix from TAC

2. Use a version unaffected by this issue (R77.30 with JHF 143 and above or R80.10)

0 Kudos
Dirk_Casomo
Contributor

this is a fresh install from the R77.30 iso in my vmware, with trial license...can i still be able to download the JHF to solve the problem?

0 Kudos
PhoneBoy
Admin
Admin

You should be able to retrieve the latest Jumbo Hotfix from CPUSE prior to completing the First Time Wizard.

0 Kudos
Dirk_Casomo
Contributor

error connecting to checkpoint cloud

i have already configured default gateway, dns 4.2.2.2 and the firewall can ping the dns, is there anything i miss?

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Dirk_Casomo
Contributor

this is the output, what does it mean?

0 Kudos
PhoneBoy
Admin
Admin

It would be helpful to see the output of all the commands, not just the last one (which looks successful).

The one previous to the one with Sigcheck looks like it might be interesting to check. 


Or we can skip the troubleshooting and you can just download the offline version of the latest jumbo hotfix. 

Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf) 

0 Kudos
Dirk_Casomo
Contributor

is there a way for me to download the horfix so that i can resolve this error, this is a fresh install GAIA R77.30... but the smartdashboard fail to connect..

0 Kudos
PhoneBoy
Admin
Admin

Anyone who has a support agreement in place should be able to download the file.

If you do and you're seeing this, please check with Account Services: Contact Support | Check Point Software 

It also appears that we've now included the relevant fix in the R77.30 images available on UserCenter.

  • Effective February 26th 2018, the fix for this issue is included in R77.30 Gaia and Windows images. 
    For more information see Check Point R77.30.

You may be able to obtain temporary authorization to download these files by working with your account team.

0 Kudos
Dirk_Casomo
Contributor

so that means if i dont have access to that link(my account is not capable) i dont have chance to fix this issue?

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, most bugfixes and software releases are only available to those who are covered by an active Support agreement.

0 Kudos
Dirk_Casomo
Contributor

how to register that can download the hotfix, my customer has a licensed

device, how to know if he can avail to download?

On Mar 12, 2018 8:16 AM, "Dameon Welch Abernathy" <donotreply@checkpoint.com>

0 Kudos
PhoneBoy
Admin
Admin

If the customer has a support agreement, they can can add you as a contact for their User Center account.

This would allow you to download the file.

Account Services should be able to verify entitlement: Contact Support | Check Point Software 

0 Kudos
Dirk_Casomo
Contributor

they are askin me how can they register, cuz he already made an account but

still cannot download anything. his accoun is just the same as me, how to

make an account is there a link where to key in the serial number or

whatsoever?

On Mar 13, 2018 9:54 PM, "Dameon Welch Abernathy" <donotreply@checkpoint.com>

0 Kudos
PhoneBoy
Admin
Admin

Account Services can assist you with these issues.

Contact Support | Check Point Software 

0 Kudos
PhoneBoy
Admin
Admin

If you still can't get the hotfix for this, another option is to set the system date to something before 24th January 2018 prior to running the First Time Wizard.

This should allow the creation of the Internal CA to succeed and resolve the issue you are experiencing.

Afterwards, you can reset the system time to the current time.


However, I strongly recommend resolving your entitlement issues so you can download the proper hotfix for this and others you may need.

0 Kudos
Dirk_Casomo
Contributor

thank you i will try that one

On Mar 15, 2018 8:47 AM, "Dameon Welch Abernathy" <donotreply@checkpoint.com>

0 Kudos
Dirk_Casomo
Contributor

after importing the file.TAR.gz this is what i receive

0 Kudos
PhoneBoy
Admin
Admin

Sounds like the file you are trying to load is somehow corrupt.

I recommend checking the file MD5/SHA1 hash to validate the file you are trying to load the correct file.

0 Kudos
Jules_Rameaux_F
Explorer

Finally I was able to resolve my connection issue after a month of investigation. 

Follow
-Fresh Install
-sk81200 Install License Via cli bbecause of no access to Smart Update
-sk92449 Upgrade Service Engine CPUSE
-sk106162 Install Jumbo
-sk122612 to generate a CA via cpconfig Make sure you reboot
Job done

Note you need a Checkpoint Account

0 Kudos
PhoneBoy
Admin
Admin

SmartUpdate doesn't require a license to operate.

It does, however, require there be a valid Internal CA, which you didn't have due to the bug described in this thread.

0 Kudos
PhoneBoy
Admin
Admin

Just to summarize (and mark the answer correct), this is a known issue described in the following SK:

Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Man... 

The TL;DR:

  • On a fresh install of any Check Point version prior to R77.30 with JHF 143, the Internal CA is set with an expiration date 20 years in the future.
  • If done after January 24th 2018, this will result in a date beyond the Unix epoch, which causes this issue.

Workarounds:

  • Use a version unaffected by this issue (R77.30 with JHF 143 and above or R80.10).
  • Get the relevant hotfix for an earlier release from the TAC
  • Prior to starting the installation, backdate the system to a date prior to January 24th 2018.
Mike567
Explorer
Thanks a lot!!!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events