SIC Error for amon: Got alert from peer that the certificate expired

One of our Check Point VSX clusters was showing an error in the SmartConsole gateway status for both cluster members.

The device information screen provided the following information:
Secure Internal Communication is not operational with ‘vsx’. Verify that SIC is initailized or was not reset.

And a “test SIC” failed:
SIC Status for vsx: Not Communicating
Internal SSL authentication error [ Certificate expired.]

The logs provided some more details:
Expert@vsx:0]# tail -12 $CPDIR/log/cpd.elg
[CPD]@vsx [16 Sep 10:03:14] SIC Error for LSMServerAddon: Got alert from peer that the certificate expired
[CPD]@vsx [16 Sep 10:13:01] SIC Error for EntitlementManager: Peer sent wrong DN: CN=cp_mgmt_XXXXX,O=XXXXX..xxxxx
[CPD]@vsx [16 Sep 11:04:06] SIC certificate renewal time:
[CPD]@vsx [16 Sep 11:04:06] certificate not before : Wed Sep 16 15:12:06 2015
[CPD]@vsx [16 Sep 11:04:06] certificate not after : Tue Sep 15 15:12:06 2020
[CPD]@vsx [16 Sep 11:04:06] renew ratio : 0.750000
[CPD]@vsx [16 Sep 11:04:06] renew time : Mon Jun 17 03:12:06 2019
[CPD]@vsx [16 Sep 11:04:06] now : Wed Sep 16 11:04:06 2020
[CPD]@vsx [16 Sep 11:04:07] Renew_SIC_Cert_cb: CPD failed to renew sic certificate. status = 3, rc - -1.
[CPD]@vsx [16 Sep 11:04:07] Renew_SIC_Cert_cb: Will try again in 24 hours.
[CPD]@vsx [16 Sep 11:07:38] SIC Error for RemoteLicense: Got alert from peer that the certificate expired
[CPD]@vsx [16 Sep 11:07:44] SIC Error for amon: Got alert from peer that the certificate expired

We’ve used the following SK (sk86521) to reset the SIC without any downtime or impact on our business.

1. As expert on both VSX cluster members enter the following commands on VS0:

cp_conf sic init YOURSECRETSICKEY norestart
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

2. After that, reset the SIC from SmartConsole:

  • Click on the Security Gateway object
  • Click on ‘Communication
  • Click ‘Reset‘ and confirm
  • Enter YOURSECRETSICKEY
  • Click on ‘Initialize
  • Install policy.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.