Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

managementserver not responding

216 views
Skip to first unread message

bouke

unread,
May 31, 2003, 8:17:41 AM5/31/03
to
All,

After a working configuration, i now have the following issue:

I got the following 'wierd/annoying' issue with our managementserver:


******** symptoms **********
Connecting from the laptop to the managementserver i do not seem to get
authenticated to the server.

response from Smartdashboard:

"Connection cannot be initiated. Make sure that the managementserver
10.16.13.4 is up and running."

******** Environment Description *********

setup: laptop/client ----> Managementserver ----> firewalls

laptop: windows 2000 Professional running Smart Client: NG FP3 Build 53933
(10.16.99.16)
server: Solaris 8 : fw ver ==> NG FP3 build 53225 (10.16.13.4)

laptop is added as a management client in cpconfig (list rebuild)
cplic print is correct
new administrator was added via cpconfig
machine is listening to 18190 (telnet from laptop responds with a
connection)
server is pingable and reachable via ssh
laptop was also connected via hub (ip 10.16.13.5, also allowed) to rule out
filtering --> same error

when I start smartdashboard i do see on the managementserver briefly:
ams1mfw1.18190 10.16.99.16.3090 64512 0 24820 0
ESTABLISHED

This hints me to an issue with the FW-1 software and not to OS/network
related issues ??

Anyone have a clue what might be causing this?

Recent changes:
* latest 4 windows 2000 patches
* checkpoint secure-client (also removed and tried, no effect)
* backoffice-migration (changed the DNS-servers to different IP, is
corrected on the mgmt-server in resolv.conf)
* reinstalled the clientsoftware several times (with more or less
options)

grtz
Bouke

Bouke van der Voet

GlidePath B.V.

bouke.va...@GlidePath.net

TEL: +31 [0]20 6058102

GSM: +31 [0] 6 209 72740


Divine

unread,
Jun 1, 2003, 12:55:48 PM6/1/03
to
I've run into this issue with Solaris, and am looking into it, currently I
do a cpstop cpstart on the management server and most of the time that will
alleviate the issue. At one point I had to reboot the solaris box to get
the management server to respond. So it's definately an interesting
situation.


"bouke" <bo...@bouke.org> wrote in message
news:3ed8...@news.checkpoint.com...

bouke

unread,
Jun 2, 2003, 2:08:57 AM6/2/03
to

"Divine" <ne...@thevoid.null> wrote in message
news:3eda3014$1...@news.checkpoint.com...

> I've run into this issue with Solaris, and am looking into it, currently I
> do a cpstop cpstart on the management server and most of the time that
will

cpstop or cpstart does not resolve the issue. Client-Connections are still
not possible

> alleviate the issue. At one point I had to reboot the solaris box to get
> the management server to respond.

Rebooting does not help neither.

> So it's definately an interesting situation.

Ack :-(

Cpstop/start did gave an error report (posted below), which did not
reproduce later.
All makes me believe the issue is still authorisation/FW-1-related. Is
Checkpoint also represented/reading in this ng?

grtz
Bouke


# cpstop
Cannot kill cpmad pid 247: No such process
VPN-1/FW-1 stopped
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
# cpstart

cpstart: Start product - SVN Foundation

SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started

cpstart: Start product - FireWall-1

FireWall-1: Starting fwd
FireWall-1: Starting fwm (SmartCenter Server)

FireWall-1: This is a Management Station. No security policy will be loaded
FireWall-1 started
#

Reconnecting still gives the same error.

Robert MacKinnon

unread,
Jun 2, 2003, 2:20:17 AM6/2/03
to
Supposedly this happens from time to time with many who use FW-1 NG. It's
happened a couple of times to me as well. There are several causes but the
most likely in your case is the SIC certificate between your management
station and smartdashboard host is corrupt. Reset the SIC certificate.
There are several knowledgebase articles on the procedure
CP secureknowledge sk12688
CP secureknowledge sk13176
or check phoneboy archives and search for "fixing SIC was Peer sent wrong DN

Most SIC problems occur between the mangement module and the enforcement
module. If you reset the SIC, you'll have to regenerate new certs for the
enforcement points the management station controls as well as the
smartdashboard. In case the SIC reset operation doesn't fix the problems
with smartdashboard, you'll have to invalidate the existing certs and
reissue new certs. This may sound severe but the procedure is quick to
perform.

"bouke" <bo...@bouke.org> wrote in message
news:3ed8...@news.checkpoint.com...

Divine

unread,
Jun 2, 2003, 11:16:54 AM6/2/03
to
can you connect via read only mode? If so you may want to look in
$FWDIR/tmp and see if there is a file called manage.lock, do a fwstop
delete the file and fwstart.


"bouke" <bo...@bouke.org> wrote in message

news:3eda...@news.checkpoint.com...

Bouke van der Voet

unread,
Jun 2, 2003, 6:34:08 PM6/2/03
to
All,

It seems the SIC Reset did the trick ! Thank you all.

As far as we could deduct, the mgmt station lost the Local CA configuration
somehow, but managed to keep working until the reboot of friday-afternoon.
It was most probably lost a week or more before, most likely .

Just the reboot forced the station to reread/reload the CA, which was
corrupted/gone hence causing log entries on missing CA's (readable AFTER the
server is back online.....) and causing the ability to authenticate at all.

Resetting the SIC solved the communication with the client. Downfall is also
loosing the communications with all connected Firewalls ... which means a
lovely night of maintenance to reset all of them. Ah well ... I'd better
have learned a decent profession ....

Tnx again

Bouke

For those who archive the commands followed to resolve:

Proceed as follows:

1. Stop all Check Point processes on the Management Station (cpstop).

2. Remove the SIC entries from the Registry under `SOFTWARE/CheckPoint/SIC

3. Delete the InternalCA.* and ICA.* files from the $FWDIR/conf directory.

4. Open $FWDIR/conf/objects_5_0.C:

Remove the Primary Management Object's "sic_name" attribute.

Remove the InternalCA object.

5. Run cpconfig and initialize the CA.

6. Restart the Check Point processes (cpstart).

WARNING: THIS OPERATION WILL CAUSE YOUR FIREWALL-1 NG ENVIRONMENT TO FAIL.

CONSIDER THE IMPLICATIONS VERY CAREFULLY BEFORE USING IT.

"Robert MacKinnon" <r...@doglover.com> wrote in message
news:3eda...@news.checkpoint.com...

Omar Silva Sarabia

unread,
Jun 2, 2003, 10:38:58 PM6/2/03
to Bouke van der Voet

Your procedure is the same that run "fwm sic_reset"?

--
Omar Silva Sarabia
roms...@bsantander.com.mx
Seguridad Informática - Firewalls
51741921


stua...@gmail.com

unread,
Dec 15, 2004, 12:02:20 PM12/15/04
to
Please please please help ... I'm a novice at CP FW-1 and am
experiencing the:

"Connection cannot be initiated. Make sure that the Server 'localhost'
is up and running and that you are defined as a GUI client."

I am using PuTTY to generate a SSL connection and forwarding. This way
I don't have to set up a lot of GUI clients. Until recently this has
been workign fine, but now only a handful of machines are able to
access the GUI management console.

One of the PCs which cannot connect is on the same subnet as the
management server so is not blocked by a firewall

Any assistance would be awesome... thanx.

S.

0 new messages