I'm wondering if anyone has seen this or if it might lead to anything. I set the cpd debug on, and am looking at the cpd.elg log file. In it I'm getting the following fragment: What concerns me is the line about Messaging Mechanism failure. Unfortunately I don't know what would be needed to fix the messaging, if that's what the problem is. Google really gives me nothing on this. ==> cpd.elg <== [1 Aug 13:50:39] certificate not before : Thu Jul 31 12:04:39 2003 [1 Aug 13:50:39] certificate not after : Wed Jul 30 12:04:39 2008 [1 Aug 13:50:39] renew ratio : 0.750000 [1 Aug 13:50:39] renew time : Tue May 1 00:04:39 2007 [1 Aug 13:50:39] now : Fri Aug 1 13:50:39 2008 [1 Aug 13:50:39] Schedule_SIC_Renewal: SIC certificate renewal was scheculed for 0 seconds from now. [1 Aug 13:50:39] Cpd started [1 Aug 13:50:39] Get_SIC_KeyHolder: SIC certificate read successfully [1 Aug 13:50:39] cpsic_get_cert_renewal_time: Renewal time: [1 Aug 13:50:39] certificate not before : Thu Jul 31 12:04:39 2003 [1 Aug 13:50:39] certificate not after : Wed Jul 30 12:04:39 2008 [1 Aug 13:50:39] renew ratio : 0.750000 [1 Aug 13:50:39] renew time : Tue May 1 00:04:39 2007 [1 Aug 13:50:39] now : Fri Aug 1 13:50:39 2008 [1 Aug 13:50:39] cpd_sic_renew: Succeeded to run /opt/CPshrd-50-04/bin/sicRenew. [1 Aug 13:50:40] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1. [1 Aug 13:50:40] Renew_SIC_Cert_cb: Will try again in 1 hour. [1 Aug 13:50:40] Schedule_SIC_Renewal: SIC certificate renewal was scheculed for 3600 seconds from now. [1 Aug 14:03:03] SIC initialization started [1 Aug 14:03:03] Read the machine's sic name: cn=cp_mgmt,o=mpcgw1.proteomeconsortium.org.6nvqcn [1 Aug 14:03:03] Initialized sic infrastructure [1 Aug 14:03:03] SIC certificate read successfully [1 Aug 14:03:03] Initialized SIC authentication methods [1 AUG 14:03:03] CPSIC ERROR: MESSAGING MECHANISM FAILURE - COULD NOT INITIALIZE MESSAGING DAEMON. [1 Aug 14:03:03] Failed to initialize SIC. Exiting ... [1 Aug 14:03:37] Starting debug output [1 Aug 14:08:46] fwasync_conn_params: <7f000001,18191> -> <7f000001,33305> [1 Aug 14:08:46] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028 [1 Aug 14:08:46] sic_server_set_version: 57 protocol version is 51000000 [1 Aug 14:08:46] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028 [1 Aug 14:08:46] sic_server_get_sic_type: 57 security type is CpdAdmin. [1 Aug 14:08:46] policy_query: src : cn=cp_mgmt,o=mpcgw1.proteomeconsortium.org. [1 Aug 14:08:46] PM_session_init: given session I(cn=cp_mgmt,o=mpcgw1.proteomeco ;18191;CpdAdmin). [1 Aug 14:08:46] PM_policy_query: input session I(cn=cp_mgmt,o=mpcgw1.proteomeco ;18191;CpdAdmin). [1 Aug 14:08:46] PM_policy_query: rule found (ANY;ME;ANY;ANY;cp_local(1/1)). [1 Aug 14:08:46] PM_policy_query: finished successfully. 1st method = cp_local [1 Aug 14:08:46] fwasync_set_opaque: 57: purging opaque 816e440 [1 Aug 14:08:58] fwasync_conn_params: <7f000001,18191> -> <7f000001,33306> [1 Aug 14:08:58] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028 [1 Aug 14:08:58] sic_server_set_version: 57 protocol version is 51000000 [1 Aug 14:08:58] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028 [1 Aug 14:08:58] sic_server_get_sic_type: 57 security type is CpdAdmin. [1 Aug 14:08:58] policy_query: src : cn=cp_mgmt,o=mpcgw1.proteomeconsortium.org. [1 Aug 14:08:58] PM_session_init: given session I(cn=cp_mgmt,o=mpcgw1.proteomeco ;18191;CpdAdmin). [1 Aug 14:08:58] PM_policy_query: input session I(cn=cp_mgmt,o=mpcgw1.proteomeco ;18191;CpdAdmin). [1 Aug 14:08:58] PM_policy_query: rule found (ANY;ME;ANY;ANY;cp_local(1/1)). [1 Aug 14:08:58] PM_policy_query: finished successfully. 1st method = cp_local [1 Aug 14:08:58] fwasync_set_opaque: 57: purging opaque 816e440 [EMAIL PROTECTED]
Bob Grabbe Michigan Proteome Consortium [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Bob Grabbe Sent: Friday, August 01, 2008 12:32 PM To: [email protected] Subject: Re: [FW-1] Trying to recreate vpn certificate Right, I've already done that, maybe it wasn't clear before. What I did was to uncheck the vpn-1 product, saved and installed the policy on the firewall. Closed the dashboard, cpstop, cpstart, then reopen the dashboard and try to delete the vpn certificate. This is the point where I get the message about not being able to contact the ca. See, I really think it's a problem with the ca somehow, and not with the cert itself. I just haven't been able to find any way to re-establish contact with the ca, either through the dashboard or through ssh onto the firewall. It makes it very frustrating, because the firewall thinks the ca is fine, but still can't communicate with it to manage any certificate. At least that's what it seems like. Again, thanks for your help both yesterday and today. Bob Grabbe Michigan Proteome Consortium [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Roger Herr Sent: Friday, August 01, 2008 11:45 AM To: [email protected] Subject: Re: [FW-1] Trying to recreate vpn certificate You need to un-check the VPN and leave it un-checked. Roger Herr WhyNot? Consulting Services 24165 IH 10 West Suite 217-183 San Antonio, Texas 78257 210-860-3990 Some men see things as they are and say why? I dream things that never were and say "Why Not?" -Robert F. Kennedy Or the original You see things; and you say "Why?" But I dream things that never were; and I say "Why not?" George Bernard Shaw (1856-1950) ----- Original Message ----- Original Message ----- From: "Bob Grabbe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, August 01, 2008 10:05 AM Subject: Re: [FW-1] Trying to recreate vpn certificate > I'm not sure what you mean by this. The only certificate I'm seeing in the > dashboard is on the properties of the gateway, under the vpn tab. This is > the one I'm trying to delete and renew, but I'm not able to delete it, > even > after disabling everything related to the vpn. > If this is not the same cert you are talking about, cold you send me more > info on what procedure you would be referring to and what cert ? > I'll basically try almost anything at this point, I'm very open to > suggestions. > Thanks > > Bob Grabbe > Michigan Proteome Consortium > [EMAIL PROTECTED] > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Claudia > Cordova > Sent: Friday, August 01, 2008 10:42 AM > To: [email protected] > Subject: Re: [FW-1] Trying to recreate vpn certificate > > Did you try revoke the cert for GW or SC? > > > Enviado desde mi BlackBerry > > -----Original Message----- > From: Bob Grabbe <[EMAIL PROTECTED]> > > Date: Tue, 29 Jul 2008 09:53:55 > To: <[email protected]> > Subject: [FW-1] Trying to recreate vpn certificate > > > I apologize for the long post, but this is my second day trying to resolve > this, no one seems to have any answers that work, I'm restating the > problem > in hopes of further suggestions. > > Environment is a Checkpoint R54 NG AI installation running on Red Hat. Ver > on the firewall shows Check Point SecurePlatform NG with Application > Intelligence build 142. Up until yesterday everything was working, then > the > vpn certificate expired. My understanding is that it should have > automatically renewed itself, but this didn't happen. > Currently I'm running the dashboard on a Windows XP platform, and I can > only > connect to the firewall if I set the date on my pc to be before the expiry > date. The firewall is showing the current date, but I have to set my local > pc to July 29 or earlier or I get the error that the cert has expired, > date > is wrong, etc. Seems strange to me that it would be on my local pc that I > have to change the date, but that's what is working. > What I've tried so far: > 1. In the firewall properties, disables the vpn-1 took the firewall out of > any vpn communities, got everything to the point where I should be able to > delete the cert and recreate it. I get an error "Unable to contact > Certificate Authority on the management station" (I actually get this also > when trying to edit the firewall's properties, but then the edit window > opens). > If I look at the internal_ca, I have no problem opening it to view it's > properties, though. It's expiry is set to 2023. > > 2. Ssh to the server, run cpstop, try to run cpca_client to revoke, then > recreate the cert. This is in line with SK20905, but trying to revoke I > get > an error:"Error, rc=-1 err=-96 Connection error" This seems like it is > indicating an error talking to the ca, but I'm not sure of this. Haven't > tried deleting and recreating the ca, as I thought this could be a bit > scary. Cpconfig does show that the ca is running, though. > No combination of ways to run the revoke_cert works, I consistently get > the > same error. > > At this point I'm assuming or thinking that there's a problem with the ca, > any suggestions to debug this would be appreciated. > > > > Bob Grabbe > Michigan Proteome Consortium > [EMAIL PROTECTED] > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
