Support Center > Search Results > SecureKnowledge Details
"Connection cannot be initiated. Make sure server is up and running" error in SmartDashboard Technical Level
Symptoms

  • SmartConsole / SmartDashboard fails to connect to the Security Management server.

  • "Connection cannot be initiated. Make sure that the Server '<Security Management IP address>' is up and running" error message is displayed when attempting to log in to SmartConsole / SmartDashboard.

  • "Login Failed: <GUI Client IP address> is not allowed for remote login" error message in the $FWDIR/log/fwm.elg file on the Security Management server.

Cause

Possible Reasons:

  1. Duplicate IP address on the network.
  2. GUI Client is not properly configured in the cpconfig menu on Security Management Server.
  3. TCP port 18190 is blocked between the GUI Client and Security Management Server.
  4. The Security Management Server blocks GUI client connections.
  5. Database became corrupted as a result of filled up Disk Space. Specifically, a corruption in one of the NDB database files in $FWDIR/conf - it has grown to an extremely large size.
  6. Database corruption caused by filled up disk space in /var/log partition.

Solution

Note: This solution does NOT address situations where the GUI Client is on the same machine as the Security Management Server.

Before you continue:

  1. Verify if the FWM process is running. To do this, run the command:

    [Expert@HostName:0]# ps -aux | grep fwm

  2. If the FWM process is not running, then try force-starting the process with the following command:

    [Expert@HostName:0]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

  3. Proceed accordingly:

Click Here to Show All Instructions

 

I. Make sure that IP addresses for hosts are unique

Show / Hide this Section

You should not have duplicate IP addresses within your network.

 

II. Configure the GUI Client's IP address using cpconfig on the Security Management Server

Show / Hide this Section

  1. Run the cpconfig command:

    [Expert@HostName:0]# cpconfig

  2. Configure the GUI Client's IP address.

    Example for IP address is 192.168.2.100:

    ---------------------------------------- 
[Expert@HostName]# cpconfig 
This program will let you re-configure 
your VPN-1 & FireWall-1 configuration. 

Configuration Options: 
---------------------- 
(1) Licenses 
(2) Administrators 
(3) GUI clients 
(4) SNMP Extension 
(5) Groups 
(6) PKCS#11 Token 
(7) Random Pool 
(8) Certificate Authority 
(9) Certificate's Fingerprint 
(10) Automatic start of Check Point Products 

(11) Exit 

Enter your choice (1-11) :3


Configuring GUI clients 
================== 
GUI clients are trusted hosts from which Administrators are allowed to log on to the SmartCenter server using Windows/X-Motif GUI. 

Do you want to [C]reate a new list, [A]dd or [D]elete one?: a 

Enter resolvable host name or an IP: 192.168.2.100 

192.168.2.100 will be added as a GUI client. Are you sure? (y/n) [y] ? y 

192.168.2.100 was added successfully! 

Do you want to add another one? (y/n) [n] ? n 

Configuration Options: 
---------------------- 
(1) Licenses 
(2) Administrators 
(3) GUI clients 
(4) SNMP Extension 
(5) Groups 
(6) PKCS#11 Token 
(7) Random Pool 
(8) Certificate Authority 
(9) Certificate's Fingerprint 
(10) Automatic start of Check Point Products 

(11) Exit 

Enter your choice (1-11) :11 

Thank You... 
[Expert@HostName]#

  3. Connect with SmartDashboard to Security Management Server.

 

III. Check Disk Space on the Security Management Server

Show / Hide this Section

If after a database revision you still cannot connect with SmartDashboard to Security Management Server, check check the disk space. Disk space filled up to 99% in /var/log partition can cause the database corruption.

Perform the following:

  1. Connect to command line on Security Management Server.

  2. Log in to Expert mode.

  3. Stop Check Point services:

    [Expert@HostName:0]# cpstop

  4. Check for abnormally large *.NDB files:

    [Expert@HostName:0]# ls -lhS $FWDIR/conf/*.NDB

  5. Identify the relevant *.NDB database file (its size should be significantly larger than the other files).

  6. Backup the current corrupted *.NDB database file file and remove it:

    [Expert@HostName:0]# mkdir /var/tmp/backup
    [Expert@HostName:0]# mv -v $FWDIR/conf/<Name_of_File>.NDB /var/tmp/backup/

  7. Clear the SmartConsole cache files per sk100507.

  8. Start Check Point services:

    [Expert@HostName:0]# cpstart

  9. Wait for several minutes for the SmartConsole cache to rebuild.

  10. Connect with SmartDashboard to Security Management Server.

 

IV. Check connectivity between the GUI client and the Security Management Server

Show / Hide this Section

If the procedures above does not resolve the problem, then verify that the TCP port 18190 is not blocked between the GUI Client and the Security Management Server.

TCP port 18190 is a pre-defined service in SmartDashboard, called CPMI (Check Point Management Interface). If a Security Gateway is blocking the CPMI service between the GUI Client and Security Management Server, then an explicit rule similar to the following example may need to be added:

SOURCE DESTINATION VPN SERVICE ACTION TRACK INSTALL ON TIME
Host that represents
GUI Client IP address		 Security Management
Server object		 Any Traffic CPMI Accept Log Security Gateway /
Cluster object		 Any

In addition, verify that in SmartDashboard - Policy menu - Global Properties - the box "Accept control connections" is checked.

If this machine is a StandAlone (Security Gateway and Security Management Server are on the same machine), then the FireWall on this StandAlone machine might be blocking the CPMI service. It may be necessary to uninstall the current security policy before a new policy can be installed:

  1. Disconnect the StandAlone machine from the network.

  2. Connect the GUI Client directly to the StandAlone machine.

  3. Connect to the command line the StandAlone machine.

  4. Log in to Expert mode.

  5. Unload the current policy:

    [Expert@HostName:0]# fw unloadlocal

  6. Connect with SmartDashboard to StandAlone machine.

  7. Go to Policy menu - Global Properties - check the box "Accept control connections".

    Alternatively, define the required explicit rule for CPMI service.

  8. Install the policy StandAlone machine.

  9. Reconnect the StandAlone machine to the network.

Note: If after running a 'log switch' you are unable to log in, follow this procedure:

  1. Reboot your Security Management Server.
  2. When prompted to approve the new fingerprint - Approve.

SmartDashboard should be able to connect successfully.

 

V. If this is an MDS environment, check that the admins, gui-clients, and permissions profiles file is symbolically linked correctly in the relevant $FWDIR/conf/ directory on Domain / CMA

Show / Hide this Section

If the Management Server is a Domain / CMA, check that the cp-admins, cp-gui-clients, and admin_permissions_profiles.C files are symbolically linked to $MDSDIR/conf/mdsdb/ directory.

Example:

[Expert@MDS:0]# mdsenv <Name of Domain / CMA>
[Expert@MDS:0]# mcd conf
[Expert@MDS:0]# ls -l | grep "\->"
lrwxrwxrwx  1 admin  root      54 Jun 12 10:42 admin_permissions_profiles.C -> /opt/CPmds-R77/conf/mdsdb/admin_permissions_profiles.C
lrwxrwxrwx  1 admin  root      37 Jun 12 10:42 cp-admins -> /opt/CPmds-R77/conf/mdsdb/cp-admins.C
lrwxrwxrwx  1 admin  root      42 Jun 12 10:42 cp-gui-clients -> /opt/CPmds-R77/conf/mdsdb/cp-gui-clients.C

If the GUI Clients symbolic link is missing, then re-create it:

[Expert@MDS:0]# mdsenv <Name of Domain / CMA>
[Expert@MDS:0]# mcd conf
[Expert@MDS:0]# ln -s $MDSDIR/conf/mdsdb/cp-gui-clients.C cp-gui-clients
This solution is about products that are no longer supported and it will not be updated
Applies To:
  • This article is merged with sk106086 and sk123114

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us