Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor
Jump to solution

Identity collector "Wrong shared secret"

Hi,

I have tried many times to add my gateway to IDC but still have same problem "Wrong shared secret"

I have tried difficult passwords and easy passwords with same result: "Wrong shared secret"

collector-wrong.JPG

I run a lab environment gateway 81.10:

show version all
Product version Check Point Gaia R81.10
OS build 335
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

 

IDC was downloaded from this link:

https://support.checkpoint.com/results/sk/sk134312

Identity Collector - for Windows OS

collector1.JPG

collector2.JPG

collector3.JPG

install policy and then test in IDC and then same "Wrong shared secret"

 

any  ideas on what is wrong?

0 Kudos
2 Solutions

Accepted Solutions
Lesley
Advisor

Follow this sk

https://support.checkpoint.com/results/sk/sk113021

Maybe something simple like closed port between IDC and gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

Moudar
Advisor

I have now found the problem from the text of sk113021

the machine where IDC is installed "SmartConsole on my case"  was not in there "Authorized Clients"

collector6.JPG

View solution in original post

22 Replies
the_rock
Legend
Legend

Never seen that before...I dont think version of IC would matter here. Make sure that everything is checked under authentication settings.

Best,

Andy

0 Kudos
Moudar
Advisor

collector4.JPG

0 Kudos
the_rock
Legend
Legend

Let me check my lab that works.

Andy

0 Kudos
the_rock
Legend
Legend

What version is this? Is the IP you have there correct?

Andy

0 Kudos
Moudar
Advisor

200.100.0.1 is the virtual IP of the cluster.

version 81.10

0 Kudos
the_rock
Legend
Legend

Are you able to ping the firewalls from IC machine?

Andy

0 Kudos
Moudar
Advisor

10.0.0.2 is the active node

10.0.0.3 is standby

PS C:\Users\shanta> ping 10.0.0.2

Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64
Reply from 10.0.0.2: bytes=32 time=16ms TTL=64
Reply from 10.0.0.2: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 16ms, Average = 4ms
PS C:\Users\shanta> ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time=2ms TTL=64
Reply from 10.0.0.3: bytes=32 time=1ms TTL=64
Reply from 10.0.0.3: bytes=32 time=1ms TTL=64
Reply from 10.0.0.3: bytes=32 time<1ms TTL=64

Ping statistics for 10.0.0.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 1ms
0 Kudos
the_rock
Legend
Legend

Is VIP 10.0.0.4? Try that IP instead and see if it works. I mean, try that for gateway object in IC.

Andy

0 Kudos
Moudar
Advisor

10.0.0.1 tested that, same problem!

collector5.JPG

0 Kudos
the_rock
Legend
Legend

Try this...remove the query pool and see if you get same issue. If so, then I would uncheck IA blade, install policy, recheck and teest.

Andy

0 Kudos
Moudar
Advisor

I did both and still "Wrong shared secret"

I am very confused, I am trying this on my lab only to see if i get same problem as my production, which is that all logs are "failed log in"

but my lab environment refuses!! "Wrong shared secret" 

0 Kudos
the_rock
Legend
Legend

And you are 100% positive you are typing the same secret?

Best,

Andy

0 Kudos
Moudar
Advisor

very easy password: vpn123

https://www.youtube.com/watch?v=-CLuxHTewqg

check that video on 2:55, you can see that he had the same problem but found a solution that is not shown on the video

0 Kudos
Lesley
Advisor

Follow this sk

https://support.checkpoint.com/results/sk/sk113021

Maybe something simple like closed port between IDC and gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂
Moudar
Advisor

I got Windows firewall disabled for this test sake.

Would you explain: "

  1. "Wrong Shared Secret" occurs when connecting a Security Gateway to Identity Collector if the Authrized Clients object defined within the Gateway Properties on SmartConsole has the wrong IP.

"

What is the "Authrized Clients object"?

0 Kudos
the_rock
Legend
Legend

So in that case, it was just new shared secret...not sure what else to say, sorry mate : - (. Lets see if Peter Elmer responds to your youtube video comment.

Best,

Andy

0 Kudos
Moudar
Advisor

I have now found the problem from the text of sk113021

the machine where IDC is installed "SmartConsole on my case"  was not in there "Authorized Clients"

collector6.JPG

the_rock
Legend
Legend

Ah, gotcha...good job. I just assumed machine you had there was the one where IC was installed.

Glad you got it now.

Best,

Andy

0 Kudos
Lesley
Advisor

This one is: 

  1. "Wrong Shared Secret" occurs when connecting a Security Gateway to Identity Collector if the Authrized Clients object defined within the Gateway Properties on SmartConsole has the wrong IP. 

Do you see any traffic reaching on the fw? Should be HTTPS

-------
If you like this post please give a thumbs up(kudo)! 🙂
Moudar
Advisor

The 'Wrong shared secret' error message is misleading in this case. It should be replaced with a message that clearly guides users on how to fix the issue.

(1)
the_rock
Legend
Legend

I agree 100%, should be more user friendly, or intutitive, if you will.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events