Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SecureClient Certificates

Status
Not open for further replies.
ChrisAC

ChrisAC

ISP
Aug 6, 2001
2,158
GB
We're moving a firewall over from using VPN-1/Firewall-1 passwords for SecureClient users to certificates using the firewalls ICA.

I tested this last night with one account and it worked okay. However, today when testing a new account I'm getting the message ..

Could not validate the certificate used by
gateway <our IP address> at site
our-firewall.
No valid CRL. CN=firewall VPN ....etc

I have no idea how to solve this problem so I'm hoping that someone could help with this!

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Sort by date Sort by votes
Which users account unit you are using?(Internal, LDAP, Tacacs, RADIUS) nad which version of Check Point modules and secure client you are using?
 
Upvote 0 Downvote
We're using the Firewall-1 internal user database. Both Firewall and client are on NG FP3.

Oddly enough this problem was fixed after a reboot, but did occur again later on.

:-(

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
*please check at the user property (choose user which failed to connect):
1- In the authentication tag make sure you choose &quot;VPN-1 & FairWall-1 Password&quot; and set the password.
2- In the encryption tag and mark the IKE encryptoin check-box then run &quot;cprestart&quot;.
3- In the &quot;certificate&quot; tag generate new certificate for the user and save it.
* it also could be because of your default certificate (locate on the managment module) is corrupted so you will need to recreate it by connecting to the managment module (ssh,telnet,term)then run &quot;cpconfig&quot; choose the &quot;Certificate Authority&quot; option and redefine it. exit cpconfig and run &quot;cprestart&quot;.

i hope that one of those will be helpfull.
please update us. good luck.
 
Upvote 0 Downvote
Yeah, I pretty much did all of that and it has been stable for a few weeks now so here's hoping that it remains okay.

Your time is appreciated.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Try this

1) Check the date of your computer is it not after the expiredate of the user of the firewall

2) Do Update Site from your <our IP address> in the checkpoint software wait a few seconds and then try again.
 
Upvote 0 Downvote
You need to check that your FW and Clients (machines with SC install on them) time is sychronized.
if it doesn't help then the best way to be sure your FW is okay is to check SIC connectivity with other moduls (if exists).
If you didn't get to any resolution as last resort you can run the command fwm reset_sic (this is very sensitive since it will reset your FWM ICA). befor you reset the ICA check the you FWM machine clock is tunned and sych.

Good Luck
Maor Hazan,
CCSA CCSE
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxnkey
  • Locked
  • Question
Checkpoint VPN-1 SecureClient Policy Issue
Replies
1
Views
85
rn4it
rn4it
kunz12
  • Locked
  • Question
Digital certificates for VPN
Replies
3
Views
103
NetworkGhost
NetworkGhost
ifconf
  • Locked
  • Question
Nokia Cluster VNP SecureClient problem
Replies
0
Views
71
ifconf
ifconf
RegTellis
  • Locked
  • Question
SecureClient for Vista workstations
Replies
1
Views
79
RegTellis
RegTellis
RegTellis
  • Locked
  • Question
Checkpoint SecureClient with Vista
Replies
0
Views
63
RegTellis
RegTellis

Part and Inventory Search

Sponsor

Back
Top