Support Center > Search Results > SecureKnowledge Details
Automatic SIC renewal mechanism does not function correctly in R70, R70.1 and R70.20
Symptoms
  • SIC renewal is not performed automatically in R70, R70.1 and R70.20.
  • SIC communication between Security Management server and Security Gateway fails.
  • Security policy installation fails.
  • Logs cannot be sent.
  • SmartDashboard fails to connect to the Security Management server.
Cause

The earliest possible date this issue can cause a problem, is 15 months after installation of R70/R70.1/R70.20 - no earlier than May 2010.

For upgraded environment this problem can happen only when both of the following conditions are met:

  • Five years passed from the initial installation of NGX R60 / R61 / R62 / R65 on the Security Gateway.
  • - AND -
  • The Security Gateway was upgraded by way of an in-place upgrade to R70 / R70.1 / R70.20.


For new R70/R70.1/R70.20 installation this problem can happen in 5 years from now.


Note: Remote Access, Connectra and VPN-1 Power VSX users are NOT affected.

SIC (Secure Internal Communication) protocol is used for secured communication between gateways and management servers. The Security Management server hosting the Certificate Authority automatically generates SIC certificates for each gateway which are valid for 5 years. For additional information, refer to the 'Securing Channels of Communication (SIC)' chapter in the R70 Security Management Server Administration Guide.

15 months before the SIC certificate expiration date, the Security gateway automatically begins the SIC renewal process. During the SIC renewal process, a new certificate is issued. The new certificate is valid for additional 5 years.

Check Point has identified an issue causing the SIC certificate renewal mechanism to not function correctly.


Solution

To find if this issue is relevant for you, check the expiration date of your SIC certificates by using either of the following procedures:

For Provider-1 MDS:

  1. Switch to context of MDS:

    [Expert@HostName]# mdsenv

  2. Back up the current files:

    [Expert@HostName]# cp $MDS_TEMPLATE/conf/crls/*.htm  $MDSDIR/conf/crls/
    [Expert@HostName]# cp $MDS_TEMPLATE/conf/crls/*.gif  $MDSDIR/conf/crls/

  3. Follow the procedure for Security Management Server described below.

For Provider-1 CMA:

  1. Switch to context of CMA:

    [Expert@HostName]# mdsenv CMA_NAME

  2. Follow the procedure for Security Management Server described below.

For Security Management server:

Perform one of the following:

  • From the CLI

    Run the following command to print the existing certificates:

    [Expert@HostName]# cpca_client [-d] lscert [-dn substr] [-stat Pending|Valid|Revoked|Expired|Renewed] [-kind SIC|IKE|User|LDAP] [-ser ser] [-dp dp]

    For more details, refer to sk62873 (How to determine SIC Certificate expiration date).

  • From the GUI

    1. Run the following command to enable HTTP access to the ICA web interface:

      [Expert@HostName]# cpca_client set_mgmt_tool on -no_ssl

    2. Using a web browser, connect to the Security Management Server at port 18265:

      http://IP_Address_of_MGMT_Server:18265

    3. Select:
      • in "Type" field - "Secure Internal Communication"
      • in "Status" field - "Valid"


    4. Click the 'Search' button.

    5. The page should look similar to this example page:



      Note: the expiration date of each SIC certificate is listed in the "Valid Until" field.

    6. Disable web access to the ICA by running the following command on the Security Management Server:

      [Expert@HostName]# cpca_client set_mgmt_tool off

 

To resolve the problem, Check Point recommends to renew all certificates that are within a year of expiration.

To renew the SIC certificate, perform one of the following:

  1. Contact Check Point Support to get a Hotfix with fixed CPD binaries, which renew the SIC certificate automatically when needed.

    This fix is included in:

    • Check Point R70.30
    • Check Point R71
    • Check Point R71.45

    Check Point recommends to always upgrade to the most recent version.

    For R70 GA, R70.1, and R70.20, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

  2. Manually renew the SIC certificate.

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 00496700 , 00566900 , 00752678 , 00531275 , 00734474 , 00531183 , 00530812 , 00531120 , 00531121

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment