Re: [FW-1] Certificate cannot be validated error

[Nicola Nicoletti [Permanent Link]]

Hi
After install policy , firewall module check crl distribution point .
Provably Crl server don't work or policy installed in firewall module don't
allow this check.




A disposizione per ulteriori informazioni
Cordiali Saluti


Nicola  NICOLETTI
Fondiaria-SAI divisione SAI
ICT & Services - Architetture & Operations
Architettura Telecomunicazioni
Sistemi Firewall / Vpn
Via Marenco 15 - 10126 Torino (TO)
( tel : +39 011 6657919
* e-mail : nicola.nicoletti AT starvox DOT it



             David A Muscat
             <muscatd AT AU1 DOT IBM.
             COM>                                                       To
             Sent by: Mailing          FW-1-MAILINGLIST AT AMADEUS.US DOT 
CHECKPO
             list for                  INT.COM
             discussion of                                              cc
             Firewall-1
             <FW-1-MAILINGLIST                                     Subject
             @AMADEUS.US.CHECK         [FW-1] Certificate cannot be
             POINT.COM>                validated error


             25/08/2004 07.25


             Please respond to
             Mailing list for
               discussion of
                Firewall-1
             <FW-1-MAILINGLIST
             @AMADEUS.US.CHECK
                POINT.COM>






Hi everyone,

In our firewall logs we get the following error:

Number:                       1103102
Date:                         25Aug2004
Time:                         14:33:59
Product:                      VPN-1 & FireWall-1
Interface:                    daemon
Origin:                       xxxxxxxx
Type:                         Log
Action:                       Key Install
Encryption Scheme:      NA
Information:                  Validation log: Certificate defaultCert
cannot be validated.
                                    Reason: No valid CRL.
                                    DN: CN=xxxxxx VPN
Certificate,O=xxxxxxx..xxxxx
                                    Instruction: If this log persists,
contact the CA administrator.

This error occurs just after a policy has been installed and although I
cannot confirm it, I think it may be the cause of site-to-site failures off
this firewall. Strangely enough though, all remote access users can VPN in
without any issue. We have another firewall at a different site, same
version and everything, and controlled by the same firewall manager. This
other firewall doesn't have any issue.

After the above error, we then get the following errors throughout the log
from the problem firewall

Number:                       1105916
Date:                         25Aug2004
Time:                         14:35:08
Product:                      VPN-1 & FireWall-1
Interface:                    qfe0
Origin:                       xxxxxxxx
Type:                         Log
Action:                       Drop
Encryption Scheme:      NA
Information:                  encryption failure: Packet is dropped as
there is no valid SA

I've also checked the certificate for the firewall. It says it's valid till
sometime in 2007 so I don't think that's the problem.

The checkpoint knowledgebase makes reference to the first problem above,
but it's solution talks about VPN-1 SmallOffice not VPN-1 Pro (solution id
sk13321). I've pasted the text from it below.

Symptoms

Error message in the Log Viewer
Error: "Validation log: Certificate defaultCert cannot be validated.
Reason: No valid CRL. DN: CN=cpmodule VPN
Certificate,O=check-3wm85vbkn..tjfer5 Instruction: If this log persists,
contact the CA administrator."


 Solution

Through the VPN-1 SmallOffice Web Interface, select Device Setup > Time and
set the Time Zone to the correct GMT offset, then apply the changes.


Now the enforcement module having the issue is in a different timezone to
it's firewall manager. The other enforcement module that DOES work with
extranet VPN's is in the same timezone as the firewall manager. Would a
difference in timezone settings really matter?

Regards,

David

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



Ai sensi del Decreto Legislativo n. 196/2003, si precisa che le
informazioni contenute
in questo messaggio e negli eventuali allegati sono riservate e per uso
esclusivo del
destinatario. Persone diverse dallo stesso non possono copiare o
distribuire il messaggio
a terzi. Chiunque riceva questo messaggio per errore, è pregato di
distruggerlo e di informare immediatamente postmaster AT fondiaria-sai DOT it

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================