Cluster upgrade and SecureClient

Thanks for your replies. We've found the solution which was
in the VRRP
properties of each gateway we had to enable the Allow
Connections to
VRRP IPs option. Our SecureClients were then able to connect
to the
policy server.

Thanks

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Mark
Elsen
Sent: 30 October 2006 08:25
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cluster upgrade and SecureClient

> Hi,
>
>
>
> Yesterday we upgraded our Clustered Nokia VRRP pair of
IP 530s from
IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and NGX R60
HFA02.
>
>
>
> Today I can no longer connect to the remote access vpn
using
SecureClient. When I try to create a site I get Error:
Communication
with site x.x.x.x failed. Looking in SmartView Tracker I can
see an
Accepted entry from my IP for FW1_topo (264) but nothing
more.
>
>
>
> Another user can connect to the vpn with his existing
SecureClient
policy but gets an error during the connection 'unable to
communicate
with policy server on cluster01'.
>
>
>
> We upgraded all of the central licenses that were
attached to the
gateways to NGX and re-attached them. A policy server
license is
attached to one of the gateways and the cluster object
properties show
that the SecureClient Policy Server option is selected.
>
>
>
> SmartView Tracker is showing that users are still able
to connect to
the vpn and is logging decrypted traffic against usernames.
>
>
>
> Does anyone have any ideas?
>
>
>

 - We had a similar issue when upgrading to NGX R61 from
R60,
the solution was to allow both Firewall's IP's as allowed
agenhosts(s)
on our RSA  server which we use for secureclient
authentication.

Apparently there was a behavior change, in the sense that
from
that release the cluster did not use the cluster IP address
when
accessing the RSA server, but now the individual IP's of the
cluster
members
were used.

Aaaa...H, guess we ow the world the reason why we get paid
each month


M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================



This message should be regarded as confidential. If you have
received this email in error please notify the sender and
destroy it immediately.
Statements of intent shall only become binding when
confirmed in hard copy by an authorised signatory.  The
contents of this email may relate to dealings with other
companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey,
GU2 7YP, England.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thanks for your replies. We've found the solution which was
in the VRRP
properties of each gateway we had to enable the Allow
Connections to
VRRP IPs option. Our SecureClients were then able to connect
to the
policy server.

Thanks

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Mark
Elsen
Sent: 30 October 2006 08:25
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cluster upgrade and SecureClient

> Hi,
>
>
>
> Yesterday we upgraded our Clustered Nokia VRRP pair of
IP 530s from
IPSO 3.7.1 and NG R54 to IPSO 4.0 build 30 and NGX R60
HFA02.
>
>
>
> Today I can no longer connect to the remote access vpn
using
SecureClient. When I try to create a site I get Error:
Communication
with site x.x.x.x failed. Looking in SmartView Tracker I can
see an
Accepted entry from my IP for FW1_topo (264) but nothing
more.
>
>
>
> Another user can connect to the vpn with his existing
SecureClient
policy but gets an error during the connection 'unable to
communicate
with policy server on cluster01'.
>
>
>
> We upgraded all of the central licenses that were
attached to the
gateways to NGX and re-attached them. A policy server
license is
attached to one of the gateways and the cluster object
properties show
that the SecureClient Policy Server option is selected.
>
>
>
> SmartView Tracker is showing that users are still able
to connect to
the vpn and is logging decrypted traffic against usernames.
>
>
>
> Does anyone have any ideas?
>
>
>

 - We had a similar issue when upgrading to NGX R61 from
R60,
the solution was to allow both Firewall's IP's as allowed
agenhosts(s)
on our RSA  server which we use for secureclient
authentication.

Apparently there was a behavior change, in the sense that
from
that release the cluster did not use the cluster IP address
when
accessing the RSA server, but now the individual IP's of the
cluster
members
were used.

Aaaa...H, guess we ow the world the reason why we get paid
each month


M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================



This message should be regarded as confidential. If you have
received this email in error please notify the sender and
destroy it immediately.
Statements of intent shall only become binding when
confirmed in hard copy by an authorised signatory.  The
contents of this email may relate to dealings with other
companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey,
GU2 7YP, England.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi Gurus

Would that be possible to recover the lost password for
checkpoint smart
centre server.  The password you put in GUI client to access
management
server.
Kind regards
Tauseef


*************************************************
For addressee only. No legally binding commitments will be
created by this e-mail message. Where we intend to create
legally binding commitments these will be made through hard
copy correspondence or documents.

3i Investments plc
Registered office: 

16 Palace St
bond
SW1E 5JD

Registered no:3975789
Authorised and Regulated by the Financial Services Authority

If you are not the intended recipient it may be unlawful for
you to read, copy, distribute, disclose or otherwise use the
information in this e-mail. If you are not the intended
recipient please contact us immediately. E-mail may be
susceptible to data corruption, interception and
unauthorised amendment, and we do not accept liability for
any such corruption, interception or amendment or the
consequences thereof.

3i is committed to following policies which protect your
privacy and comply with current international data
protection laws and regulations in respect of personal data.
Further details of these policies can be found at
www.3i.com.
*************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Mon, 30 Oct 2006, Tauseef Khan wrote:

> Would that be possible to recover the lost password for
checkpoint smart
> centre server.  The password you put in GUI client to
access management
> server.

Ever heard of cpconfig? That should do the trick nicely.

Hugo.

PS: Never hijack another thread to start a new issue. Start
a new one.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Well... taking advantange of the subject, has anyone ever
found a "password
recovery procedure" for SPLAT?

What Hugo says is entirely true if what you lost is just de
firewall admin
password, but what if you lost the SPLAT admin password?

A few months ago I spent quite some time looking for a
document about that
in SK and all the docs that mentioned recovering passwords
talked about
getting into expert mode, which off course I had no access
to because this
customer had lost all the passwords related with this system
he used just
for evaluation puposes....

Regards

On 10/30/06, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
>
> On Mon, 30 Oct 2006, Tauseef Khan wrote:
>
> > Would that be possible to recover the lost
password for checkpoint smart
> > centre server.  The password you put in GUI client
to access management
> > server.
>
> Ever heard of cpconfig? That should do the trick
nicely.
>
> Hugo.
>
> PS: Never hijack another thread to start a new issue.
Start a new one.
>
> --
>         hvdkooijvanderkooij.org        http://hvdkooij.xs4all.nl/

>             This message is using 100% recycled
electrons.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Well... taking advantange of the subject, has anyone ever
found a "password
recovery procedure" for SPLAT?

What Hugo says is entirely true if what you lost is just de
firewall admin
password, but what if you lost the SPLAT admin password?

A few months ago I spent quite some time looking for a
document about that
in SK and all the docs that mentioned recovering passwords
talked about
getting into expert mode, which off course I had no access
to because this
customer had lost all the passwords related with this system
he used just
for evaluation puposes....

Regards

On 10/30/06, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
>
> On Mon, 30 Oct 2006, Tauseef Khan wrote:
>
> > Would that be possible to recover the lost
password for checkpoint smart
> > centre server.  The password you put in GUI client
to access management
> > server.
>
> Ever heard of cpconfig? That should do the trick
nicely.
>
> Hugo.
>
> PS: Never hijack another thread to start a new issue.
Start a new one.
>
> --
>         hvdkooijvanderkooij.org        http://hvdkooij.xs4all.nl/

>             This message is using 100% recycled
electrons.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

SPLAT is just Red Hat.  You should be able to boot off of a
Red Hat  
CD, mount the disk, edit the passwd & shadow files as
necessary, then  
reboot.  I haven't done it on SPLAT, but I've done it on
Solaris  
several times.  Red Hat shouldn't be much different.

-Mike
On Oct 30, 2006, at 4:22 PM, Sergio Alvarez wrote:

> Well... taking advantange of the subject, has anyone
ever found a  
> "password
> recovery procedure" for SPLAT?
>
> What Hugo says is entirely true if what you lost is
just de  
> firewall admin
> password, but what if you lost the SPLAT admin
password?
>
> A few months ago I spent quite some time looking for a
document  
> about that
> in SK and all the docs that mentioned recovering
passwords talked  
> about
> getting into expert mode, which off course I had no
access to  
> because this
> customer had lost all the passwords related with this
system he  
> used just
> for evaluation puposes....
>
> Regards
>
> On 10/30/06, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
>>
>> On Mon, 30 Oct 2006, Tauseef Khan wrote:
>>
>> > Would that be possible to recover the lost
password for  
>> checkpoint smart
>> > centre server.  The password you put in GUI
client to access  
>> management
>> > server.
>>
>> Ever heard of cpconfig? That should do the trick
nicely.
>>
>> Hugo.
>>
>> PS: Never hijack another thread to start a new
issue. Start a new  
>> one.
>>
>> --
>>         hvdkooijvanderkooij.org        http://hvdkooij.xs4all.nl/

>>             This message is using 100% recycled
electrons.
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to LISTSERVamadeus.us.checkpoint.com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http:
//www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> fw-1-ownerts.checkpoint.com
>> =================================================
>>
>
>
>
> -- 
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Sergio Alvarez wrote:
> Well... taking advantange of the subject, has anyone
ever found a "password
> recovery procedure" for SPLAT?
> 
> What Hugo says is entirely true if what you lost is
just de firewall admin
> password, but what if you lost the SPLAT admin
password?
> 
> A few months ago I spent quite some time looking for a
document about that
> in SK and all the docs that mentioned recovering
passwords talked about
> getting into expert mode, which off course I had no
access to because this
> customer had lost all the passwords related with this
system he used just
> for evaluation puposes....
> 

just boot splat with any linux live cd, chroot() into the /
partition
and do a passwd for admin (or whatever the cpshell username
is).

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

The following SK describes the whole procedure:
sk24666

Kr.
Robby


On 10/30/06, Sergio Alvarez <seralvargmail.com> wrote:
> Well... taking advantange of the subject, has anyone
ever found a "password
> recovery procedure" for SPLAT?
>
> What Hugo says is entirely true if what you lost is
just de firewall admin
> password, but what if you lost the SPLAT admin
password?
>
> A few months ago I spent quite some time looking for a
document about that
> in SK and all the docs that mentioned recovering
passwords talked about
> getting into expert mode, which off course I had no
access to because this
> customer had lost all the passwords related with this
system he used just
> for evaluation puposes....
>
> Regards
>
> On 10/30/06, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
> >
> > On Mon, 30 Oct 2006, Tauseef Khan wrote:
> >
> > > Would that be possible to recover the lost
password for checkpoint smart
> > > centre server.  The password you put in GUI
client to access management
> > > server.
> >
> > Ever heard of cpconfig? That should do the trick
nicely.
> >
> > Hugo.
> >
> > PS: Never hijack another thread to start a new
issue. Start a new one.
> >
> > --
> >         hvdkooijvanderkooij.org        http://hvdkooij.xs4all.nl/

> >             This message is using 100% recycled
electrons.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

The following SK describes the whole procedure:
sk24666

Kr.
Robby


On 10/30/06, Sergio Alvarez <seralvargmail.com> wrote:
> Well... taking advantange of the subject, has anyone
ever found a "password
> recovery procedure" for SPLAT?
>
> What Hugo says is entirely true if what you lost is
just de firewall admin
> password, but what if you lost the SPLAT admin
password?
>
> A few months ago I spent quite some time looking for a
document about that
> in SK and all the docs that mentioned recovering
passwords talked about
> getting into expert mode, which off course I had no
access to because this
> customer had lost all the passwords related with this
system he used just
> for evaluation puposes....
>
> Regards
>
> On 10/30/06, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
> >
> > On Mon, 30 Oct 2006, Tauseef Khan wrote:
> >
> > > Would that be possible to recover the lost
password for checkpoint smart
> > > centre server.  The password you put in GUI
client to access management
> > > server.
> >
> > Ever heard of cpconfig? That should do the trick
nicely.
> >
> > Hugo.
> >
> > PS: Never hijack another thread to start a new
issue. Start a new one.
> >
> > --
> >         hvdkooijvanderkooij.org        http://hvdkooij.xs4all.nl/

> >             This message is using 100% recycled
electrons.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================