Support Center > Search Results > SecureKnowledge Details
Global VPN community fails to establish VPN tunnels after an upgrade Technical Level
Symptoms
  • After a Multi-Domain Management Server upgrade, the VPN tunnels to the peer gateway using the Global VPN community fail to establish.
  • The negotiation of the VPN tunnel fails with invalid certificate, due to the failure in certificate trust.
  • PUV message: The 'Internal CA' certificates in the database must be fixed post upgrade.
Cause

There is more than 1 certificate for every Internal CA.

This cause the CMA not to recognizing the other CMA's ICAs.


Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

If you wish not to upgrade, delete the duplicates certificates in the DB.

  1. Take a snapshot (important!) before executing the script. 
  2. Download RemoveDuplicateInternalCACertificates.tgz
  3. Move the tgz file to the machine home directory. 
  4. Extract RemoveDuplicateInternalCACertificates.groovy script 
  5. Assign the required permissions:
    # chmod +x RemoveDuplicateInternalCACertificates.groovy 
  6. Run the script: # $MDS_FWDIR/scripts/run_groovy_script.sh ~/RemoveDuplicateInternalCACertificates.groovy

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment