Support Center > Search Results > SecureKnowledge Details
Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server R77.30 and below fails on fresh installation
Symptoms
  • Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server fails.
  • Error: "Connection cannot be initiated. Please make sure the server X.X.X.X is up and running and that you are defined as a GUI Client".
  • Unable to view the CA fingerprint when running cpconfig on a Security Management Server or mdsconfig on Multi-Domain Management Server - "The fingerprint can be displayed only after a certificate is created for this machine" message.

  • When trying to generate the CA via cpconfig on a Security Management Server or mdsconfig on Multi-Domain Management Server the following error is seen (Even if if fwm sic_reset completed successfully):
    Could not create Certificate Authority. General problem in Certificate Authority. Failed to initiate Certificate Authority
    NOTE: The creation of the certificate failed
    .
  • When running mdssstat the CPCA status is down.

Cause

The issue is relevant to the below scenarios:

  1. Upon clean install of Security Management / Standalone / Multi-Domain Server R77.30 or below after January 24th 2018.
  2. Upon adding CMA on Multi-Domain Server below 77.30 Jumbo Hotfix take 143 (Inlcuding previous versions) .

ICA certificate generation fails due to code issue (that is now fixed), causing connectivity to fail.


Solution

Important Notes:

  • R80 and above releases are not affected by the issue.
  • R77.30 Jumbo Hotfix take 143 and above environments are not affected by the issue.
  • Effective February 26th 2018, the fix for this issue is included in R77.30 Gaia and Windows images.
    For more information see Check Point R77.30.


For R77.20
and below contact Check Point Support to get a solution for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.

For R77.30 based environments solutions would be provided according to the product it should be applied to:

  • Fresh Security Management Server / Standalone installation on Gaia
    Show / Hide this section
    1. Install R77.30 GA image. Refer to Check Point R77.30
       
  • Fresh Security Management Server / Standalone installation on Windows
    Show / Hide this section
    1. Install R77.30 GA image. Refer to Check Point R77.30
    If you do not wish to install the new R77.30 image, the following workaround is available:

    If the First Time Wizard was not yet used, set the date to Jan 24, 2018 and after the First Time Wizard completes, set the date correctly.
    If the First Time Wizard was already used, change the date and initialize the CA using cpconfig :
    1. Run cpconfig from CMD
    2. Select 'Secure Internal Communication' tab 
    3. Click on 'Reset'
    4. Insert a new activation key and click 'Apply' 

    5. Click 'Yes' to reset Check Point services.
  • CMA creation on existing Multi-Domain Management Server
    Show / Hide this section
    1. Install R77.30 Jumbo Hotfix take 143 or above
    2. Recreate the CMA (no need to reset Internal CA on Multi-Domain Management Server)

  • Fresh Multi-Domain Management Server installation
    Show / Hide this section
    1. Install R77.30 GA image. Refer to Check Point R77.30

  • Re-signing internal CA
    Show / Hide this section
    1. Install R77.30 Jumbo Hotfix take 143 or above
    2. Re-Sign internal CA by running cpca_client re_sign_ca

  • Endpoint Security Server R77.30.03 installation
  • vSEC for Public Cloud / CloudGuard IAAS
    Show / Hide this section
      In deployments using the versions listed below or newer, the issue has been resolved and additional actions are not required:

    • CloudGuard for AWS: R77.30-041.168
    • CloudGuard for Azure: R77.30-053.230
    • CloudGuard for GCP: R77.30-053-236

 

Related solutionsk123499 - SMB appliances do not complete boot and enter Maintenance Mode

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment