Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] RES: [FW-1] Provider-1 NGX Upgrade issue

from chkp tech [Permanent Link]
Subject: Re: [FW-1] RES: [FW-1] Provider-1 NGX Upgrade issue
From: chkp tech <chkptech AT GMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 24 Mar 2006 10:55:49 -0600 
It sounds like you might have one of a couple of problems.  Either another
P-1 or MLM with a different date/time or you're having Certificate Authority
problems.  First I would check that all of your Provider machines are
updating properly via NTP.  After that I would wait for one of the boxes to
lose SIC and then look to see what the certificate for that machine looks
like with the cpca_dbutil command on the Provider box.  See if the
certificate has been revoked for it.  (Status of 2 means that it's been
revoked).

Jason


On 3/24/06, Octavio do Vale Rocha <octavio AT nct.com DOT br> wrote:
>
> It is not possible to install any policies. When check the sic status from
> smartdashboard, it gives the error:
>
> "SIC status fo XXXXX: not communicating
> Authentication Error [error 147]
> Check that peer SIC is configured properly
> and that system date and time on the Smartcenter and peer are
> synchronized"
>
> The most strange is that in smartview monitor, I see the status of these
> firewall as OK. I can even get data from the in smartupdate.
> But doing a on these FWs is not possible.
>
> I could't note any action that may be causing this, it seems to be random.
> The time it takes to loose SIC is also random.
>
> It only happens to r54 in SPLAT. R54 in nokia an r55 in any case is fine.
> It lloks like a bug.
>
> CPD shows the messages bellow after sic estab.
>
> 12 Mar 23:35:39] Schedule_SIC_Renewal: SIC certificate should be renewed
> in 70700185 seconds from now.
> Will be checked again in 1209600 seconds from now.
> [12 Mar 23:35:39] Cpd started
> [14 Mar  0:55:08] cprti_dump_init: cannot open nl socket
>
> [14 Mar  0:55:08] cprti_dump: cant init
>
> [14 Mar  0:55:08] CP Status extractor: GetOidReply: Error - OID '
> 1.3.6.1.4.1.2620.1.6.6.1.2.1' reported as next-oid, but has no value
> [14 Mar  8:18:04] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [14 Mar  9:36:46] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [14 Mar 14:25:11] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [14 Mar 16:20:38] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [14 Mar 23:32:59] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [15 Mar  9:02:12] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [16 Mar 17:18:04] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [16 Mar 20:15:37] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [17 Mar 10:02:24] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [17 Mar 18:49:33] DoCancelOperation: unsupported oid is cancelled. oid='
> 1.3.6.1.4.1.2620.1.1.25.8'
> [18 Mar 13:50:34] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar  0:16:24] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar  1:30:56] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar  5:01:10] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar  6:05:48] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar 16:22:29] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar 19:57:55] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar 21:20:01] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [19 Mar 23:15:43] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [20 Mar  8:56:48] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [20 Mar 11:09:59] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [20 Mar 14:19:34] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [20 Mar 15:31:33] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [21 Mar  9:17:23] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [21 Mar 15:02:20] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [21 Mar 22:25:02] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [21 Mar 23:58:57] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [22 Mar  8:25:18] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [22 Mar  9:52:30] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [22 Mar 18:04:06] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [23 Mar  8:44:17] rand_collect_entropy: Failed to collect entropy from all
> sources.
> [23 Mar 17:14:36] DoCancelOperation: unsupported oid is cancelled. oid='
> 1.3.6.1.4.1.2620.1.1.25.8'
>
>
> Thanks,
> Octavio
>
> -----Mensagem original-----
> De: Mailing list for discussion of Firewall-1 [mailto:
> FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Em nome de Adam BE
> Enviada em: sexta-feira, 24 de março de 2006 10:24
> Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Assunto: Re: [FW-1] Provider-1 NGX Upgrade issue
>
> Hi Octavio,
>
> Please provide more specific details...
> How do you know you've lost SIC, what is the symptom: does intall policy
> or some other operation fail? Once you've reset SIC... how long does it take
> until you lose it again?  Can you reconstruct the specific operations you
> made which keep causing SIC to be lost or is it lost without relation to any
> operation which you made (i.e occurs once every 2 hours...)?
>
> Once you've lost SIC try troubleshooting to see what might be causing the
> problem.. see http://fixmyfirewall.com/fw1/fw-1.0117.html  and then check
> the log in $CPDIR/log/cpd.elg
>
> Best regards,
> Adam.
>
> Octavio do Vale Rocha <octavio AT NCT.COM DOT BR> wrote: Hi all,
>
>
>
> After upgrading Provider-1 to NGX (only the management part), we are
> having problems with r54 gateways. They loose SIC to the their CMAs, and
> even if we close SIC again it looses after some time. The error showed
> is error 147.
>
>
>
> The most strange is that in smartview monitor, we can see these gateways
> status as OK, their current connections, cpu, etc. We can also get their
> data from smartupdate, but receive an error when getting license.
>
>
>
> Has anyone experienced this? It is happening only with R54 (build 317)
> gateways.
>
>
>
>
>
> Thanks,
>
> Octavio
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
> ---------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC for low,
> low rates.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] NG R55 HFA17 - LDAP Branches, Desaulniers Marc
Next by Date:  [FW-1] Need SP for FW-1 (4.1 sparc), Wilson Mohr
Previous by Thread:  [FW-1] RES: [FW-1] Provider-1 NGX Upgrade issue, Octavio do Vale Rocha
Next by Thread:  Re: [FW-1] Mask problem, Lyle Dove
Indexes:  [Date] [Thread] [Top] [All Lists]