We have recently had our IP380 and management server upgraded to HFA_13 but still cannot get our Edge X16 to connect. When I go to the Edge services wizard and enter our gateway IP as the service center address it times out and says that it did not respond. The firmware we have is 5.0.57x. I have some things about having to update the libsw files but it will connect if I plug the Edge into our internal network first. Still getting used to how this works so maybe this is correct but it's not going to be helpful with it installed in Ireland! Any help greatly appreciated.
<RayP>
Posted
Make sure you have a process named SMS running on SmartCenter; it's not started by default. On a Windows 2000 SMartCenter you start it for the very first time by running
smsstart
from a command prompt. SMS is how an Edge talks to the SmartCenter. Once you run it from the command prompt it will survive a reboot. Mine doesn't survive a cpstop/cpstart but it does come back up on a reboot for whatever reason.
Ray
<Howard>
Posted
Hi Ray. Thanks for replying. Yes, the SMS processis running and if you run netstat I can see UDP localhost:9282 *:*
SMS not running was the problem we had before we upgraded to HFA_13. Everything I read about these boxes say its a 3 step process but I just cannot get the Edge to talk to the Management server. The only way I can get a VPN tunnel up at all is if I create it manually and define the networks I want. If I try to use the topology download that sets it up but wrongly, showing the internal interface of the firewall and not the external one, so nothing works. The manuals I have say that you use the Service Center wizard and point it to the IP of the management server. Since this is an external box all I can do is point it at the firewalls IP. This accepts the IKE traffic but does nothing with it.
<RayP>
Posted
Did you install the certificate manually or let the Edge box pull it when it connected to the SmartCenter the first time? If you installed it manually, that's probably the issue. Remove it and reconnect to the SmartCenter. After you enter the Edge name and password it will install the cert automatically.
RAy
<Howard>
Posted
Hi Ray. Yes, SMS is defintely running. Installing HFA_13 fixed that. All the fixes I have seen and problems people seem to experience mention that they have a problem getting the Edge to pick up its profile. Our problem is that we cannot get it to connect to the SC at all through the firewall. If I bring the Edge onto our internal network and change the objects in SC it connect fine every time and will get its policy. If I reset everything and put it back on our DSL line and try to come in through the firewall: nothing!
<Howard>
Posted
I have also done a tcpdump on the firewall, monitoring the interface that the SC is connected to and there is no communication between the two on port 9282. This was was while I was trying to connect from the Edge.
<Howard>
Posted
quote:
Originally posted by RayP: Make sure you have a process named SMS running on SmartCenter; it's not started by default. On a Windows 2000 SMartCenter you start it for the very first time by running
smsstart
from a command prompt. SMS is how an Edge talks to the SmartCenter. Once you run it from the command prompt it will survive a reboot. Mine doesn't survive a cpstop/cpstart but it does come back up on a reboot for whatever reason.
Ray
Got the mamangement working by NATing the management server to a public IP and connecting to that. Amazingly this little nugget of information is not available ANYWHERE that I can find in either Checkpoints database or Sofawares. I had to Google it. The support guy I was dealing with at Checkpoint didn't suggest this either and in fact said that our configuration was a little unusual!! What, an Distributed install on an IP380 with a Windows 2003 SC behind it? Yes, very unusual I'm sure! Thanks Ray for your help.
<RayP>
Posted
I don't know why CP insists on making people expose their SmartCenter boxes to the Internet in a distributed environment. It always makes me nervous.I'd rather they accept the traffic on the gateway and use the gateway to proxy it to the SmartCenter.
