Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server R77.30 and below fails on fresh installation

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk122612
Technical Level
Product	Quantum Security Management, SmartDomain Manager, Multi-Domain Security Management
Version	R77 (EOL), R77.10 (EOL), R77.20 (EOL), R77.30 (EOL)
OS	Gaia, Windows
Date Created	26-Jan-2018
Last Modified	10-Feb-2019

Symptoms

Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server fails.
Error: "Connection cannot be initiated. Please make sure the server X.X.X.X is up and running and that you are defined as a GUI Client".
Unable to view the CA fingerprint when running cpconfig on a Security Management Server or mdsconfig on Multi-Domain Management Server - "The fingerprint can be displayed only after a certificate is created for this machine" message.
When trying to generate the CA via cpconfig on a Security Management Server or mdsconfig on Multi-Domain Management Server the following error is seen (Even if if fwm sic_reset completed successfully):
```
Could not create Certificate Authority. General problem in Certificate Authority. Failed to initiate Certificate Authority
NOTE: The creation of the certificate failed
```
.
When running mdssstat the CPCA status is down.

Cause

The issue is relevant to the below scenarios:

Upon clean install of Security Management / Standalone / Multi-Domain Server R77.30 or below after January 24th 2018.
Upon adding CMA on Multi-Domain Server below 77.30 Jumbo Hotfix take 143 (Inlcuding previous versions) .

ICA certificate generation fails due to code issue (that is now fixed), causing connectivity to fail.

Solution

Important Notes:

R80 and above releases are not affected by the issue.

R77.30 Jumbo Hotfix take 143 and above environments are not affected by the issue.

Effective February 26th 2018, the fix for this issue is included in R77.30 Gaia and Windows images.
For more information see Check Point R77.30.

For R77.20 and below contact Check Point Support to get a solution for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.

For R77.30 based environments solutions would be provided according to the product it should be applied to:

Fresh Security Management Server / Standalone installation on Gaia
Show / Hide this section
1. Install R77.30 GA image. Refer to Check Point R77.30
Fresh Security Management Server / Standalone installation on Windows
Show / Hide this section
1. Install R77.30 GA image. Refer to Check Point R77.30.
If you do not wish to install the new R77.30 image, the following workaround is available:

If the First Time Wizard was not yet used, set the date to Jan 24, 2018 and after the First Time Wizard completes, set the date correctly.
If the First Time Wizard was already used, change the date and initialize the CA using cpconfig :
1. Run cpconfig from CMD
2. Select 'Secure Internal Communication' tab
3. Click on 'Reset'
4. Insert a new activation key and click 'Apply'
5. Click 'Yes' to reset Check Point services.
CMA creation on existing Multi-Domain Management Server
Show / Hide this section
1. Install R77.30 Jumbo Hotfix take 143 or above
2. Recreate the CMA (no need to reset Internal CA on Multi-Domain Management Server)
Fresh Multi-Domain Management Server installation
Show / Hide this section
1. Install R77.30 GA image. Refer to Check Point R77.30.
Re-signing internal CA
Show / Hide this section
1. Install R77.30 Jumbo Hotfix take 143 or above
2. Re-Sign internal CA by running cpca_client re_sign_ca
Endpoint Security Server R77.30.03 installation
Show / Hide this section
1. Install an R77.30 Security Management Server
2. Install the R77.30.03 hotfixes
vSEC for Public Cloud / CloudGuard IAAS
Show / Hide this section
- CloudGuard for AWS: R77.30-041.168
- CloudGuard for Azure: R77.30-053.230
- CloudGuard for GCP: R77.30-053-236

This solution is about products that are no longer supported and it will not be updated

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating