It seems it can be ignored after all! :) After digging around further I
found we were getting the same error on another of our gateways where
extranet tunnels seem to work fine. I've discovered that the remotely
managed firewall hasn't been configured correctly (even after they have
"checked" it) as I setup my own separate remote gateway and got an extranet
tunnel up in less than 5 mins, no problems. :)
Regards,
David
Ian Brown
<IBrown AT OAG DOT COM>
Sent by: Mailing To
list for FW-1-MAILINGLIST AT AMADEUS.US DOT
CHECKPO
discussion of INT.COM
Firewall-1 cc
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK Subject
POINT.COM> Re: [FW-1] Certificate cannot be
validated error
25/08/2004 05:38
PM
Please respond to
Mailing list for
discussion of
Firewall-1
I've seen this and reported it to CP support, as I couldn't see what
caused it. The response was this;
The error message that you are seeing is a normal informational message
and can be disregarded if you are not see this message at times other
than the firewall being rebooted or policy being pushed. It is normal
since certain processes are being stopped and started and some of the
process that are being checked have not started yet.
I took it with a pinch of salt. If anyone has a better explaination....?
ian
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David A
Muscat
Sent: 25 August 2004 06:26
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Certificate cannot be validated error
Hi everyone,
In our firewall logs we get the following error:
Number: 1103102
Date: 25Aug2004
Time: 14:33:59
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: xxxxxxxx
Type: Log
Action: Key Install
Encryption Scheme: NA
Information: Validation log: Certificate defaultCert
cannot be validated.
Reason: No valid CRL.
DN: CN=xxxxxx VPN
Certificate,O=xxxxxxx..xxxxx
Instruction: If this log persists,
contact the CA administrator.
This error occurs just after a policy has been installed and although I
cannot confirm it, I think it may be the cause of site-to-site failures
off this firewall. Strangely enough though, all remote access users can
VPN in without any issue. We have another firewall at a different site,
same version and everything, and controlled by the same firewall
manager. This other firewall doesn't have any issue.
After the above error, we then get the following errors throughout the
log from the problem firewall
Number: 1105916
Date: 25Aug2004
Time: 14:35:08
Product: VPN-1 & FireWall-1
Interface: qfe0
Origin: xxxxxxxx
Type: Log
Action: Drop
Encryption Scheme: NA
Information: encryption failure: Packet is dropped as
there is no valid SA
I've also checked the certificate for the firewall. It says it's valid
till sometime in 2007 so I don't think that's the problem.
The checkpoint knowledgebase makes reference to the first problem above,
but it's solution talks about VPN-1 SmallOffice not VPN-1 Pro (solution
id sk13321). I've pasted the text from it below.
Symptoms
Error message in the Log Viewer
Error: "Validation log: Certificate defaultCert cannot be validated.
Reason: No valid CRL. DN: CN=cpmodule VPN
Certificate,O=check-3wm85vbkn..tjfer5 Instruction: If this log persists,
contact the CA administrator."
Solution
Through the VPN-1 SmallOffice Web Interface, select Device Setup > Time
and set the Time Zone to the correct GMT offset, then apply the changes.
Now the enforcement module having the issue is in a different timezone
to it's firewall manager. The other enforcement module that DOES work
with extranet VPN's is in the same timezone as the firewall manager.
Would a difference in timezone settings really matter?
Regards,
David
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
