Support Center > Search Results > SecureKnowledge Details
Global VPN community fails to establish VPN tunnels after an upgrade Technical Level
  • After a Multi-Domain Management Server upgrade, the VPN tunnels to the peer gateway using the Global VPN community fail to establish.
  • The negotiation of the VPN tunnel fails with invalid certificate, due to the failure in certificate trust.
  • PUV message: The 'Internal CA' certificates in the database must be fixed post upgrade.

There is more than 1 certificate for every Internal CA.

This cause the CMA not to recognizing the other CMA's ICAs.


This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).


If you wish not to upgrade, delete the duplicates certificates in the DB.

  1. Take a snapshot (important!) before executing the script. 
  2. Download RemoveDuplicateInternalCACertificates.tgz
  3. Move the tgz file to the machine home directory. 
  4. Extract RemoveDuplicateInternalCACertificates.groovy script 
  5. Assign the required permissions:
    # chmod +x RemoveDuplicateInternalCACertificates.groovy 
  6. Run the script: # $MDS_FWDIR/scripts/ ~/RemoveDuplicateInternalCACertificates.groovy

Give us Feedback
Please rate this document