Procedure to reset the SIC (Secure Internal Communications) on a specific vap member (APM) or the entire VAP group.
A "Failed to connect to the module" message indicates SIC is not operating correctly.
When testing the SIC from the Check Point Management station using "Test SIC Status", the following error messages appear:
· SIC Status for clem_fw_1: Not Communicating
· Peer SIC Certificate is revoked
Reset the Check Point SIC for the entire VAP group running Check Point application.
Reset the Check Point SIC on a specific VAP member of the VAP group.
This procedure describes how to reset the SIC on the entire VAP group, as well as how to reset it on individual VAPs.
Run "show-ap-vap-mapping" to display the relationship between application and APMs.
hpasabcal5300f101# show ap-vap-mapping
Module Slot Status VAP IP Address VAP Group Index Master (true/false)
AP2 3 Active 1.1.2.101 VSX 1 false
AP3 4 Active 1.1.2.102 VSX 2 true
AP4 5 Active 1.1.2.103 VSX 3 false
(3 rows)
Perform this procedure through the CBS CLI for the VAP group. All VAPs within the group will be reset, and the VAP group will be reloaded.
Here is an example of changing the SIC for the VAP group named 'VSX' running Check Point VSX NGX R65 application:
hpasabcal5300f101# application vsx vap-group VSX configure
Configuring VAP Group "VSX" with VAPs: 1 2 3
Welcome to the Check Point VPN-1 Power VSX NGX R65
Configuration Program for the X Series platforms.
=========================================================================
This program will let you re-configure VPN-1 Power VSX NGX R65.
Configuration Options:
----------------------
(1) Licenses
(2) Enable SNMP Extensions
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Disable Check Point SecureXL
(8) Automatic start of Check Point Products
(9) Backup VSX configuration
(10) Cleanup VSX configuration
(11) Restore VSX configuration
(12) Configure Dynamic Routing
(13) Disable Overlapping IP Support
(14) Exit
Enter your choice (1-14) : 5
Configuring Secure Internal Communication...
============================================
The Secure Internal Communication is used for
authentication between Check Point components
Would you like to re-initialize communication? (y/n) (n) y
Note: The Secure Internal Communication will be reset now.
No communication will be possible until you reset and
re-initialize the communication properly!
Are you sure? (y/n) (n) y
You will now be prompted to enter a one time 'Activation Key' that
will be used to establish trust with the Check Point Management Server
NOTE:This Activation Key will be used for all VAPs in the VAP Group
Enter SIC Activation Key>
Again SIC Activation Key>
New SIC information will take effect after you restart
VPN-1 Power VSX NGX R65
Installing SIC one time password ******** on 1.1.2.101
Installing SIC one time password ******** on 1.1.2.102
Installing SIC one time password ******** on 1.1.2.103
Welcome to the Check Point VPN-1 Power VSX NGX R65
Configuration Program for the X Series platforms.
=========================================================================
This program will let you re-configure VPN-1 Power VSX NGX R65.
Configuration Options:
----------------------
(1) Licenses
(2) Enable SNMP Extensions
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Disable Check Point SecureXL
(8) Automatic start of Check Point Products
(9) Backup VSX configuration
(10) Cleanup VSX configuration
(11) Restore VSX configuration
(12) Configure Dynamic Routing
(13) Disable Overlapping IP Support
(14) Exit
Enter your choice (1-14) : 14
You have changed VPN-1 & FireWall-1 Configuration.
You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.
Would you like to do this now? (y/n) (y)
####----------------------------------------------------------------------####
1. Enter the Unix level prompt.
CBS# unix su
Password:
[[email protected] admin]#
2. RSH to the slot.
[[email protected] admin]# rsh fw1_1
Last login: Wed Mar 12 14:47:02 from primarycpm
fw1_1 (ibanez): root$
3. Run cpconfig.
The following menu is displayed. This program will let you re-configure your VPN-1 & FireWall-1 configuration.
[[email protected] admin]# cpconfig
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products
(8) Exit
Enter your choice (1-8) : 5
Configuring Secure Internal Communication...
============================================
The Secure Internal Communication is used for authentication between Check Point components.
Trust State: Initialized but Trust was not established
Would you like to change the Activation Key? (y/n) [n] ? y
Enter Activation Key: xxxxxx
Again Activation Key: xxxxxx
The Secure Internal Communication was successfully initialized
Configuration Options:
----------------------
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable Check Point High Availability/State Synchronization
(7) Disable Check Point SecureXL
(8) Automatic start of Check Point Products
(9) Exit
Enter your choice (1-9) :9
Thank You...
You have changed VPN-1 & FireWall-1 Configuration.
You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.
Would you like to do this now? (y/n) [y] ? y
VPN-1/FW-1 stopped
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
cpstart: Start product - SVN Foundation
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
cpstart: Start product - FireWall-1
FireWall-1: Starting external VPN module – OK
FireWall-1: Starting fwd
SecureXL device is enabled
Cannot get Security Policy from local: No State Saved
Fetching Security Policy from localhost failed
Fetching Security Policy From: 192.168.30.234
Fetch failed: Connection failed - SIC failure
Policy Server Fetch Failed
Policy Server Fetch Failed - Failed to fetch from masters in masters file
Fetching Security Policy From: 192.168.30.234
Fetch failed: Connection failed - SIC failure
Policy Fetch Failed
Failed to fetch policy from masters in masters file
cpridstop: cprid stopped
cpridstart: Starting cprid
DO NOT REBOOT
Exit unix and return to the CLI.
4. Run "show ap-vap-mapping" to find the slot number of the blade that was just fixed.
5. Run "reload module <slot>" to reboot that slot.