Technical data

VSX Diagnostics and Troubleshooting
Check Point VSX Administration Guide NGX R67 | 180
c) Examine connectivity status using standard operating system commands and tools such as: ping,
traceroute, tcpdump, ip route, ftp, etc. Some of these run according to context (i.e.
routing, source and destination IP addresses). .
For SecurePlatform and Crossbeam platforms, execute the ip route and ip link commands.
If these tests indicate that all interfaces and routers have connectivity, and appear to be functioning
correctly, you should monitor the passage of packets through the system.
5. Execute the fw monitor -v [vsname or vsid] commands to capture details of packets at
multiple points. This may return multiple reports on the same packet as it passes various capture points.
This command does not report on Virtual Routers, except for packets destined to an external Virtual
Router.
Note - The Performance Pack may have an adverse effect on the capabilities of the
fw monitor command.
6. Execute the tcpdump command to display transmitted or received packets for specific interfaces,
including Warp interfaces. This often provides valuable clues for resolving connectivity issues.
Troubleshooting Specific Problems
Cannot Establish SIC Trust for Gateway or Cluster
When creating a VSX gateway or cluster, you cannot establish SIC trust. SmartDashboard gives an error
message:
Certificate cannot be pushed. Connection error with wait agent.
Possible Causes
How to Resolve
Check that you have network connectivity
between the gateway and the Security
Gateway or Domain Management Server
by pinging from the VSX system (A ping
from the Domain Management
Server/Security Management to the VSX
system will not work because of the default
security policy installed on the VSX
gateway/cluster.)
Make sure the context is vrf 0 first.
On all relevant machines, re-check the cables,
routes, IP addresses and any intermediate
networking devices (routers, switches, hubs, and
so on) between the management and the
gateway(s).
Check that all the Check Point processes
on the VSX gateway(s) are up and running
by running cpwd_admin list and
making sure each line has a non-zero
value in the PID field.
If the gateway(s) has just rebooted, the Check
Point processes might still be coming up. If this is
not the case, and you are using Crossbeam X40,
make sure you have executed the application
… start command. (For more information refer to
the Crossbeam documentation.)
Check that the CPD process is listening to
the trust establishment port, by running
netstat -an | grep 18211 on the
VSX gateway(s), and checking that output
looks like this:
tcp 0 0 0.0.0.0:18211 0.0
.0.0:* LISTEN
Make sure that you executed the cpconfig
command on the gateway(s), and that it finished
successfully.
SIC Trust Problems with new Virtual Devices
When creating a new Virtual System, Virtual Router or Virtual Switch, you cannot establish SIC trust.