Hi everyone,
In our firewall logs we get the following error:
Number: 1103102
Date: 25Aug2004
Time: 14:33:59
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: xxxxxxxx
Type: Log
Action: Key Install
Encryption Scheme: NA
Information: Validation log: Certificate defaultCert
cannot be validated.
Reason: No valid CRL.
DN: CN=xxxxxx VPN
Certificate,O=xxxxxxx..xxxxx
Instruction: If this log persists,
contact the CA administrator.
This error occurs just after a policy has been installed and although I
cannot confirm it, I think it may be the cause of site-to-site failures off
this firewall. Strangely enough though, all remote access users can VPN in
without any issue. We have another firewall at a different site, same
version and everything, and controlled by the same firewall manager. This
other firewall doesn't have any issue.
After the above error, we then get the following errors throughout the log
from the problem firewall
Number: 1105916
Date: 25Aug2004
Time: 14:35:08
Product: VPN-1 & FireWall-1
Interface: qfe0
Origin: xxxxxxxx
Type: Log
Action: Drop
Encryption Scheme: NA
Information: encryption failure: Packet is dropped as
there is no valid SA
I've also checked the certificate for the firewall. It says it's valid till
sometime in 2007 so I don't think that's the problem.
The checkpoint knowledgebase makes reference to the first problem above,
but it's solution talks about VPN-1 SmallOffice not VPN-1 Pro (solution id
sk13321). I've pasted the text from it below.
Symptoms
Error message in the Log Viewer
Error: "Validation log: Certificate defaultCert cannot be validated.
Reason: No valid CRL. DN: CN=cpmodule VPN
Certificate,O=check-3wm85vbkn..tjfer5 Instruction: If this log persists,
contact the CA administrator."
Solution
Through the VPN-1 SmallOffice Web Interface, select Device Setup > Time and
set the Time Zone to the correct GMT offset, then apply the changes.
Now the enforcement module having the issue is in a different timezone to
it's firewall manager. The other enforcement module that DOES work with
extranet VPN's is in the same timezone as the firewall manager. Would a
difference in timezone settings really matter?
Regards,
David
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
