The problem I have with doing this is that fwm sic_reset won't run. In expert mode, I try to run it and get a message that "There are IKE certificates that were generated by the internal certificate authority. Please remove them using the smartdashboard so that the internal certificate authority can be destroyed. " I've tried doing this through the dashboard, but I'm not able to. I have been consistently getting an error on connecting to the ca. If I could get the cert deleted through the dashboard I think I could resolve it, but haven't yet been able to no matter what I try.
Bob Grabbe Michigan Proteome Consortium [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Roger Herr Sent: Friday, August 01, 2008 10:21 AM To: [email protected] Subject: Re: [FW-1] Trying to recreate vpn certificate After running fwm sic_reset did you run cpconfig and recreate the ICA? Roger Herr WhyNot? Consulting Services 24165 IH 10 West Suite 217-183 San Antonio, Texas 78257 210-860-3990 Some men see things as they are and say why? I dream things that never were and say "Why Not?" -Robert F. Kennedy Or the original You see things; and you say "Why?" But I dream things that never were; and I say "Why not?" George Bernard Shaw (1856-1950) ----- Original Message ----- Original Message ----- From: "Bob Grabbe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, July 29, 2008 8:53 AM Subject: [FW-1] Trying to recreate vpn certificate >I apologize for the long post, but this is my second day trying to resolve > this, no one seems to have any answers that work, I'm restating the > problem > in hopes of further suggestions. > > Environment is a Checkpoint R54 NG AI installation running on Red Hat. Ver > on the firewall shows Check Point SecurePlatform NG with Application > Intelligence build 142. Up until yesterday everything was working, then > the > vpn certificate expired. My understanding is that it should have > automatically renewed itself, but this didn't happen. > Currently I'm running the dashboard on a Windows XP platform, and I can > only > connect to the firewall if I set the date on my pc to be before the expiry > date. The firewall is showing the current date, but I have to set my local > pc to July 29 or earlier or I get the error that the cert has expired, > date > is wrong, etc. Seems strange to me that it would be on my local pc that I > have to change the date, but that's what is working. > What I've tried so far: > 1. In the firewall properties, disables the vpn-1 took the firewall out of > any vpn communities, got everything to the point where I should be able to > delete the cert and recreate it. I get an error "Unable to contact > Certificate Authority on the management station" (I actually get this also > when trying to edit the firewall's properties, but then the edit window > opens). > If I look at the internal_ca, I have no problem opening it to view it's > properties, though. It's expiry is set to 2023. > > 2. Ssh to the server, run cpstop, try to run cpca_client to revoke, then > recreate the cert. This is in line with SK20905, but trying to revoke I > get > an error:"Error, rc=-1 err=-96 Connection error" This seems like it is > indicating an error talking to the ca, but I'm not sure of this. Haven't > tried deleting and recreating the ca, as I thought this could be a bit > scary. Cpconfig does show that the ca is running, though. > No combination of ways to run the revoke_cert works, I consistently get > the > same error. > > At this point I'm assuming or thinking that there's a problem with the ca, > any suggestions to debug this would be appreciated. > > > > Bob Grabbe > Michigan Proteome Consortium > [EMAIL PROTECTED] > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
