How to reset Check Point SIC (Secure Internal Communications) on an APM or for the entire VAP group.

book

Article ID: 168071

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Procedure to reset the SIC (Secure Internal Communications) on a specific vap member (APM) or the entire VAP group.

A "Failed to connect to the module" message indicates SIC is not operating correctly.

When testing the SIC from the Check Point Management station using "Test SIC Status", the following error messages appear:

·    SIC Status for clem_fw_1: Not Communicating

·    Peer SIC Certificate is revoked

Cause

Reset the Check Point SIC for the entire VAP group running Check Point application.
Reset the Check Point SIC on a specific VAP member of the VAP group.

Resolution

This procedure describes how to reset the SIC on the entire VAP group, as well as how to reset it on individual VAPs.

Resetting SIC on a VAP group

Run "show-ap-vap-mapping" to display the relationship between application and APMs.

 

hpasabcal5300f101# show ap-vap-mapping

Module  Slot  Status  VAP IP Address  VAP Group  Index  Master (true/false)

AP2     3     Active  1.1.2.101       VSX        1      false

AP3     4     Active  1.1.2.102       VSX        2      true

AP4     5     Active  1.1.2.103       VSX        3      false

(3 rows)

Perform this procedure through the CBS CLI for the VAP group. All VAPs within the group will be reset, and the VAP group will be reloaded.

Here is an example of changing the SIC for the VAP group named 'VSX' running Check Point VSX NGX R65 application:

 

hpasabcal5300f101# application vsx vap-group VSX configure

 

Configuring VAP Group "VSX" with VAPs: 1 2 3

 

Welcome to the Check Point VPN-1 Power VSX NGX R65

Configuration Program for the X Series platforms.

 

=========================================================================

 

This program will let you re-configure VPN-1 Power VSX NGX R65.

Configuration Options:

----------------------

(1)  Licenses

(2)  Enable SNMP Extensions

(3)  PKCS#11 Token

(4)  Random Pool

(5)  Secure Internal Communication

(6)  Disable Check Point High Availability/State Synchronization

(7)  Disable Check Point SecureXL

(8)  Automatic start of Check Point Products

(9)  Backup VSX configuration

(10) Cleanup VSX configuration

(11) Restore VSX configuration

(12) Configure Dynamic Routing

(13) Disable Overlapping IP Support

(14) Exit

 

Enter your choice (1-14) : 5

Configuring Secure Internal Communication...

 

============================================

 

The Secure Internal Communication is used for
authentication between Check Point components
Would you like to re-initialize communication? (y/n) (n) y

 

Note: The Secure Internal Communication will be reset now.
No communication will be possible until you reset and
re-initialize the communication properly!
Are you sure? (y/n) (n) y

 

You will now be prompted to enter a one time 'Activation Key' that
will be used to establish trust with the Check Point Management Server

 

NOTE:This Activation Key will be used for all VAPs in the VAP Group

 

Enter SIC Activation Key>

Again SIC Activation Key>

 

New SIC information will take effect after you restart
VPN-1 Power VSX NGX R65
Installing SIC one time password ******** on 1.1.2.101
Installing SIC one time password ******** on 1.1.2.102
Installing SIC one time password ******** on 1.1.2.103

 

Welcome to the Check Point VPN-1 Power VSX NGX R65
Configuration Program for the X Series platforms.

 

=========================================================================

This program will let you re-configure VPN-1 Power VSX NGX R65.

 

Configuration Options:
----------------------

(1)  Licenses

(2)  Enable SNMP Extensions

(3)  PKCS#11 Token

(4)  Random Pool

(5)  Secure Internal Communication

(6)  Disable Check Point High Availability/State Synchronization

(7)  Disable Check Point SecureXL

(8)  Automatic start of Check Point Products

(9)  Backup VSX configuration

(10) Cleanup VSX configuration

(11) Restore VSX configuration

(12) Configure Dynamic Routing

(13) Disable Overlapping IP Support

(14) Exit

 

Enter your choice (1-14) : 14

 

You have changed VPN-1 & FireWall-1 Configuration.

You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.

Would you like to do this now? (y/n) (y)

 

 

####----------------------------------------------------------------------####

Resetting SIC on a single VAP in a group.

1.       Enter the Unix level prompt.

CBS# unix su

Password:

[[email protected] admin]#

2.       RSH to the slot.

[[email protected] admin]# rsh fw1_1

Last login: Wed Mar 12 14:47:02 from primarycpm

fw1_1 (ibanez): root$

3.       Run cpconfig.

The following menu is displayed. This program will let you re-configure your VPN-1 & FireWall-1 configuration.

 

[[email protected] admin]# cpconfig

 

Configuration Options:

----------------------

(1) Licenses

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable Check Point High Availability/State Synchronization

(7) Automatic start of Check Point Products

(8) Exit

Enter your choice (1-8) : 5

Configuring Secure Internal Communication...

============================================

The Secure Internal Communication is used for authentication between Check Point components.

Trust State: Initialized but Trust was not established

Would you like to change the Activation Key? (y/n) [n] ? y

Enter Activation Key: xxxxxx

Again Activation Key: xxxxxx

The Secure Internal Communication was successfully initialized

Configuration Options:

 

----------------------

 

(1) Licenses

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable Check Point High Availability/State Synchronization

(7) Disable Check Point SecureXL

(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :9

Thank You...

 

You have changed VPN-1 & FireWall-1 Configuration.

You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.

Would you like to do this now? (y/n) [y] ? y

VPN-1/FW-1 stopped

SVN Foundation: cpd stopped

SVN Foundation: cpWatchDog stopped

SVN Foundation stopped

cpstart: Start product - SVN Foundation

SVN Foundation: Starting cpWatchDog

SVN Foundation: Starting cpd

SVN Foundation started

cpstart: Start product - FireWall-1

FireWall-1: Starting external VPN module – OK

FireWall-1: Starting fwd

SecureXL device is enabled

Cannot get Security Policy from local: No State Saved

Fetching Security Policy from localhost failed

Fetching Security Policy From: 192.168.30.234

Fetch failed: Connection failed - SIC failure

Policy Server Fetch Failed

Policy Server Fetch Failed - Failed to fetch from masters in masters file

Fetching Security Policy From: 192.168.30.234

Fetch failed: Connection failed - SIC failure

Policy Fetch Failed

Failed to fetch policy from masters in masters file

cpridstop: cprid stopped

cpridstart: Starting cprid

 

DO NOT REBOOT

Exit unix and return to the CLI.

4.       Run "show ap-vap-mapping" to find the slot number of the blade that was just fixed.

5.       Run "reload module <slot>" to reboot that slot.

 

 

 

Workaround

N/A