Well, with a corrupted certificate authority not only VPN stuff fails, SIC fails as well because it works with cetificates generated by that CA.
To be honest I have no idea how you managed to avoid SIC issues, the CA gets initialized with the hostname of the machine, and when you import a config on a machine with a different hostname, the CA is not valid precisely because the hostname does not match and gets immediately corrupted, at least that's what I had understand. Basically when it happened to me, I got no "poping" error messages at all, it was just that sic would not work even reseting activation keys on the firewall modules and the corresponding objects in the Dashboard. I don't remember the exact error I got when testing sic and failing, but the only solution was reseting the CA. I did it that way the first time, but it was such a pain, that next time it happened, I just rebooted with the SPLAT disk and started all over making sure the hostname was right this time, it was faster that way. I guess you should ask Check Point support about this, as my experience seems no to be rule about this. Regards On 8/10/07, pkc_mls <[EMAIL PROTECTED]> wrote: > > Sergio Alvarez a écrit : > > First of all, if you did that, you should already have a corrupted > > Certificate Authority. I ran into that a couple of times > > > > When you do an upgrade_export and then and import on another machine, > the > > new machine should have the same hostmane of the old one from which you > took > > the export in the first place. > > > > > Hi, > > I did another try on a vmware environment. > set up a windows smartcenter. > set t up a splat gateway > run an upgrade export from the windows smartcenter > setup another smartcenter on splat with a different hostname. > I choosed to use the exported config directly during installation. > and I then renamed the smartcenter object in smartdashboard, and didn't > get the warning message. > there was no sic issue afterwards, but as it was a really small config, > I didn't try any vpn stuff. > > could you please describe the issues you had ? > > I would recommend, starting from the beginning importing the export on > the > > new machine whilke having the same hostname. If that is a problem, then > look > > in the SecureKnowledge for procedures to reset the ICA (it is also > referred > > to as "SIC reset"). > > > > > > On 8/8/07, pkc_mls <[EMAIL PROTECTED]> wrote: > > > >> here are some more details : > >> I ran an update_export on my old SC. > >> I imported the export on my new SC that has a different name. > >> now I'd like to change the name in smartdashboard. > >> > >> Sergio Alvarez a écrit : > >> > >>> The SmartCenter object name is related with the hostname of the > >>> > >> Smartcenter > >> > >>> machine, and the hostname is related with the Certificate Authority > that > >>> allows for SIC to take place between your Smartcenter, the firewall > >>> > >> modules > >> > >>> and even your SmartConsole. If you change the hostname, the > certificate > >>> authority gets corrupted. > >>> > >>> To be honest I do not have the best procedure to follow in case you > MUST > >>> change that hosts name, but I can tell you it could become a really > big > >>> headache. > >>> > >>> Unless you really MUST do that change, I would honestly suggest > leaving > >>> > >> it > >> > >>> as it is. If you do, maybe another one of the guys here, has a good > and > >>> > >> safe > >> > >>> procedure to follow, which I would too like to be aware of. > >>> > >>> Regards > >>> > >>> On 8/8/07, pkc_mls <[EMAIL PROTECTED]> wrote: > >>> > >>> > >>>> good morning, > >>>> > >>>> when you wish to rename the smartcenter object in smartdashboard, you > >>>> get the following warning : > >>>> "Before renaming, please close SmartDashboard, open SmartUpdate and > >>>> detach the license". > >>>> > >>>> and detaching the license will block the access to the > smartdashboard. > >>>> > >>>> does it mean you need an eval licence also to allow you to do this ? > >>>> > >>>> has anyone already renamed a smartcenter ? > >>>> > >>>> thanks > >>>> > >>>> ================================================= > >>>> To set vacation, Out-Of-Office, or away messages, > >>>> send an email to [EMAIL PROTECTED] > >>>> in the BODY of the email add: > >>>> set fw-1-mailinglist nomail > >>>> ================================================= > >>>> To unsubscribe from this mailing list, > >>>> please see the instructions at > >>>> http://www.checkpoint.com/services/mailing.html > >>>> ================================================= > >>>> If you have any questions on how to change your > >>>> subscription options, email > >>>> [EMAIL PROTECTED] > >>>> ================================================= > >>>> > >>>> > >>>> > >>> > >>> > >>> > >> ================================================= > >> To set vacation, Out-Of-Office, or away messages, > >> send an email to [EMAIL PROTECTED] > >> in the BODY of the email add: > >> set fw-1-mailinglist nomail > >> ================================================= > >> To unsubscribe from this mailing list, > >> please see the instructions at > >> http://www.checkpoint.com/services/mailing.html > >> ================================================= > >> If you have any questions on how to change your > >> subscription options, email > >> [EMAIL PROTECTED] > >> ================================================= > >> > >> > > > > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
