Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] no SIC when computer hw clocks are not in sync

To: <[email protected]>
Subject: [FW1] no SIC when computer hw clocks are not in sync
From: [email protected]
Date: Thu, 4 Oct 2001 14:44:24 +0200
Cc: "Will Zegeer" <[email protected]>, "Erik Esmeijer" <[email protected]>, <[email protected]>, <[email protected]>
Importance: Normal
In-reply-to: <2AD60F2F39B1D41187EE00508BCFDA@HERNDONHQ>
Sender: [email protected]

Will,

Thanks for your solution, I installed the NTP protocol
to sync the time of the gateway that runs the enforcement module
with the server that runs the checkpoint mgmt module, 
and I can confirm that SIC does communicate now. Probably
NTP can be handy anyway for analysis of logfiles that
are time sync'd. Anyone who sees NTP as a potential security
risk? ;)

I used some old Asus mobo with an expired CMOS power lithium cell.
NTP will now set the hwclock at boot time.

I'll cc this email to some people involved with FW-1
as well as support at checkpoint ;)



Grtz -- hansb

+-----------------------------------------------------+
| Hans Bayle <[email protected]>                 |
| Technical Consultant                                |
|                                                     |
| Zinopsys BV                                         |
| phone +31 20 6123614                                |
| mobile +31 6 53948140                               |
| fax +31 20 6123849                                  |
| [email protected]                              |
+-----------------------------------------------------+

-----Original Message-----
From: Will Zegeer [mailto:[email protected]]
Sent: Wednesday, September 26, 2001 11:52 PM
To: '[email protected]';
[email protected]
Cc: Erik Esmeijer
Subject: RE: [FW1] (2) Bad SIC status between NT4.0 and Linux RH6.2


Hans, Check your time and date on both management and module - they should
match. I had the same error and this was the cause.

Hope this helps-

Will

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, September 26, 2001 5:25 AM
To: [email protected]
Cc: Erik Esmeijer
Subject: [FW1] (2) Bad SIC status between NT4.0 and Linux RH6.2


Hi,

(1)

Im evaluating Checkpoint NG with a distributed setup:

- management server and management clients on Windows NT Workstation SP6a
- enforcement module on Linux Redhat 6.2, kernel 2.2.19

normal communication between the two machines is ok, but when I use
the Policy editor on the management host, and enter the Linux box
as a gateway, it is possible to establish a trust under the
Communication button, but testing the SIC status is not possible:

Sic status from <host>: Not Communicating

Internal SSL authentication error [ alert from peer bad certificate ]

*** Contact Check Point Support ***



(2)

Also, when using secure update, It is not possible to attach a central
license for the enforcement module. I right-click the Linux gateway
that has the enforcement module installed and that I had to enter
in the policy editor first, then I choose Attach Licenses... A dialog
box will popup, and I select one of my licenses, and click on the Attach
button. NOTHING HAPPENS. no error, nothing.


(3)

In both cases (1) and (2), when I run tcpdump at the Linux gateway on the
interface that is connected to the management host, I will see some traffic
between:

linuxgw.zinopsys.nl.18191 > mgmthst.zinopsys.nl.1144
mgmthst.zinopsys.nl.1144 > linuxgw.zinopsys.nl.18191
etc..

At the same time, on the console will be logged:

FW-1: cannot write to host_table

My wild guess is, that checkpoint modules have an internal host_table which
are needed for both SIC communication and plugging in the licenses.
If, for some reason ???? the module can't write to the host_table,
It also won't communicate with remote modules.

Anyone who can tell me what a host_table is, where I can find it, and
help it to behave in a better way?

(BTW, latest hotfixes are installed on both machines)


Grtz -- hansb

+-----------------------------------------------------+
| Hans Bayle <[email protected]>                 |
| Technical Consultant                                |
|                                                     |
| Zinopsys BV                                         |
| phone +31 20 6123614                                |
| mobile +31 6 53948140                               |
| fax +31 20 6123849                                  |
| [email protected]                              |
+-----------------------------------------------------+

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 7.0.4

mQGiBDtVZSIRBADlhMHgAHggPJSHY2x1L47zxwj3seca9hdJGEmlXnNBcD3nwTrf
Zm7g03cTAj3Nm1Rbdz55kZ9fs7ijYlvDAGWSkOQix7+ZWNQN4m255WNWzq/osff6
n8PNluJbmNvMQjUsYpsfFYoYVhPsWcQZwyuaDnHfnm/EO2n3uTmWEz5jLQCg/+wQ
Cub/dg/Ci54D2G64KfImsDMD/2jskzfN6i1UCBV6l3GPyKBasHpKwSa2ETHvYc+N
8S90ncKykTUJwjK2hyXXGUEpCxYyTno0QEFiPMVBPBUXOUtxiUvCNZ/Jb/2zsgxk
H1mJDYhrMNHkImsquEr3uHmxDcFifYLzF8d717XoThdv9t+YVK22wXdan8CaD956
Ibl/A/0SJZJB467jPc/o2lheDGN/RBGJOBxvoT58s7JpyTllj4incRC3/A8HHqco
h/7RyY7IkKd7O4csPMhuLb8nvqNDJzhxSOYX1SFUcHUqLvwcRxK+vgf//ns3rzCY
jvWkks3N6DtYnxOfJxEkyU5EQkOopGYMCfGqRFcefmE89HZAmbQjSGFucyBCYXls
ZSA8aGFucy5iYXlsZUB6aW5vcHN5cy5ubD6JAFUEEBECABUFAjtVZSIFCwMCAQoC
GQEFGwMAAAAACgkQk36sqCmCr74JHQCgqNQqt5kXe+L7DTzm3CU9MeS24/UAnRpu
mO41wVIEs2ab0djwsIPt3jGkuQQNBDtVZSIQEAD5GKB+WgZhekOQldwFbIeG7GHs
zUUfDtjgo3nGydx6C6zkP+NGlLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphl
uNgN7hBdq7YXHFHYUMoiV0MpvpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP
0YOEqHm274+nQ0YIxswdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHId
OHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRP
yvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJX
twh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xk
hkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58
yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4
DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/
POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlL
IhkmuquiXsNV6z3WFwACAhAAx5mt74u1Lm1KgkN/fywCNOE4QqOOXlkyxrKzfANB
50IzhcCF+B5siyzdXwnaAv0elFjiooGXQqN5h/IGKW1LbohEfaeJWk1KHfFb4KAj
9GWuKBA/EdOro0S9/kiYEyvgy8ybN0jJ0mmgQygwoq30LXxwkj2F3rYi82LMQyvC
WTUq9Vv9nsmr/KmvQZlA7VkjDV+8OZqddjs1HQP0A4Ot7F7jEOhQDsKx6iNOPjEs
wbzIjf1hDwDOrm2O791mIeixKCO3nKLyuAYulXc5jn/BbZeloqLZVfgB8oAgisiK
oCwE9ksBP8pZ1+cC2GvRgnPSC+8MvmoB640swxdzaR6wxn+EzoYsL8gVotf6pIPn
xVPNm9Ob/UvF7veIybmTxsDYjpXQqPz3KauAISc93U89rAMLRhPDK/mqo47lYlYD
XXH8izOfqgCnmrhC4hwgkjwDQlfphyTiU4a0GNPqX1hzwebAljP6PXPHaV9iKWrD
lByQbi1lg4EIdardziOK8sKaN9g1FYi5CUZKj5Y8t9zM0Qv+QA1H6+HdY2eO45hf
x/Vdcdn8fGEGVbXUWR4RHAktgn1qMe647fIkgIZHgBNA0M9Jc7O3bq7ckq61d3yy
GWgVDk3PbPunPRO6pTvQ47n5Ay7/G0DmjoTS5cxxVscrEJhf/Hr+GD0UGUIDZlcK
YMuJAEwEGBECAAwFAjtVZSIFGwwAAAAACgkQk36sqCmCr76/5ACdH/bvSyZM+Vtl
oBfp567hCoSa3EwAoMqdkXW0Tr5m7tsuW7JTJHUutpt3
=PFQh
-----END PGP PUBLIC KEY BLOCK-----

BEGIN:VCARD
VERSION:2.1
N:Bayle;Hans
FN:Hans Bayle
TEL;WORK;VOICE:+31-20-6123614
TEL;HOME;VOICE:+31-20-6898343
TEL;CELL;VOICE:+31-6-53948140
TEL;WORK;FAX:+31-20-6123849
ADR;WORK:;;Baarsjesweg 277-III;Amsterdam;;1058 AD;Netherlands
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Baarsjesweg 277-III=0D=0AAmsterdam 1058 AD=0D=0ANetherlands
EMAIL;PREF;INTERNET:[email protected]
REV:20010919T154316Z
END:VCARD

Prev by Date: Re: [FW1] Ping Rules Across Firewall help
Next by Date: RE: [FW1] tired
Previous by thread: RE: [FW1] Getting Domain names from an IP address
Next by thread: [FW1] *** Problem with qfe card ***
Index(es):
- Date
- Thread