- This article is not valid for R80.x
- Do not run a SIC reset at the MDS root level. Make sure that you are in the correct CMA / Domain context (run mdsenv <CMA_name>) before you start this procedure.
To see what CMA / Domain context you are at, run the echo $FWDIR command and see that the correct /opt/CPmds-Rxx/customers/<CMA> directory is returned.
To reset SIC on CMA / Customer Domain, perform:
- For backup purposes, run mds_backup before starting the procedure
- On the MDS console run mdsenv CMA_name to enter the first CMA environment reporting a SIC problem.
- Run the fwm sic_reset command and answer 'yes' when prompted.
Important: after running this command on CMA you must re-establish SIC with all managed gateways.
For more information on the removal of certificates generated by the Certificate Authority, see sk14532.
- Clear the cache file, make sure its done under the CMA level:
# mdsstop_customer <CMA_short_name>
# mdsenv <CMA_short_name>
# mcd conf
# rm CPMILinksMgr.db*
- Run: mdsstart_customer <CMA_short_name>
- To re-establish the ICA server, run:
$MDSDIR/bin/mdsconfig -ca <CMA_short_name> <CMA_virtual_IP>
Note: CMA_short_name / CMA_Virtual_IP values can be found using mdsstat
- Repeat the above steps on each CMA / Domain with a SIC problem.
- Run the mdsstop and mdsstart commands from the MDS environment to initialize the new ICA servers.
- In SmartDashboard, double-click the Security gateway object. The 'Gateway Cluster Properties' dialog box will appear.
- Click 'Cluster Members' in the left pane and double-click a 'Cluster Member' in the 'Gateway Cluster Members' list.
The 'Cluster Member Properties' dialog box shows.
- In the 'Secure Internal Communication' section make sure that 'CN=gateway_name' and 'O=CMA_name' are shown in the 'DN' field.
- Click 'Communication'. The 'Communication' dialog box shows.
- Click 'Reset'.
- Reset SIC on the gateway(s) in cpconfig.
- If there VPNs on the gateway, reset the ICA Certificate as follows:
- In the 'Gateway Cluster Properties' mentioned above, select 'General Properties' in the left pane.
- Clear the 'VPN' checkbox in the 'Check Point Products' list.
- If the VPN is in a Community, it must first be removed from the community. Follow the prompts to remove the VPN service from the gateway.
- Reset the VPN service and install a new ICA Certificate by clicking the 'VPN' checkbox and following the prompts.
Reset the gateway to the VPN Community if the VPN is Simplified Mode.
After SIC is reset, the Security policy should be installed on the gateway without problems.
After the ICA Certificate has been reset for the VPNs, VPN connections should resume.