SmartDashboard connection cannot be initiated, make sure server is up and running

Solution ID: sk12120 Average Rating:

Error: “connection cannot be initiated, make sure server is up and running”

Product: SmartView Tracker, SmartDashboard
Version: NGX R60, NGX R61, NGX R62, NG AI, NG, NGX R65
Last Modified: 12-十二月-2007

Symptoms

SmartDashboard is unable to connect to the SmartCenter server.
Error message is displayed when attempting to login to the SmartDashboard.
Error: “Check Point Management Client”.
Error: “Connection cannot be initiated.”
Error: “Make sure that the Server ” is up and running.”
Error message is seen in the $FWDIR/log/fwm.elg file on the SmartCenter server.
Error: “Login Failed: is not allowed for remote login”.
Issuing cpstop / cpstart on the SmartCenter server does not address the problem.

Cause

The SmartDashboard machine’s IP address has not been entered successfully with the cpconfig utility.

Solution

This solution addresses the following situations:

GUI client is not properly registered under cpconfig (in SmartCenter Server).

TCP 18190 is blocked/filtered between the GUI client and SmartCenter Server.

The firewall itself (on the SmartCenter Server) is blocking GUI client connections.

This solution does not address situations where the GUI client is on the same machine as the SmartCenter Server.

To enter the SmartDashboard machine’s IP address using the cpconfig utility, proceed as follows:

SOLARIS, IPSO, SPLAT and Linux
On the SmartCenter server

Issue the cpconfig command.

Use the cpconfig utility in the following way (in this example the SmartDashboard machine’s IP address is 192.168.2.100):
—————————————-
# cpconfig
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.

Configuration Options:
———————-
(1) Licenses
(2) Administrators
(3) GUI clients
(4) SNMP Extension
(5) Groups
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Certificate’s Fingerprint
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :3

Configuring GUI clients
==================
GUI clients are trusted hosts from which Administrators are allowed to log on to the SmartCenter server using Windows/X-Motif GUI.

Do you want to [C]reate a new list, [A]dd or [D]elete one?: a

Enter resolvable host name or an IP: 192.168.2.100

192.168.2.100 will be added as a GUI client. Are you sure? (y/n) [y] ? y

192.168.2.100 was added successfully!

Do you want to add another one? (y/n) [n] ? n

Configuration Options:
———————-
(1) Licenses
(2) Administrators
(3) GUI clients
(4) SNMP Extension
(5) Groups
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Certificate’s Fingerprint
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :11

Thank You…
#
—————————————-

Login with the GUI Client.

WINDOWS
On the SmartCenter server (for Windows NT / 2000)

Select Start > Programs > Check Point Management Clients > Check Point Configuration NG.

In the Check Point Configuration Tool dialog box, select the GUI Clients tab.

Enter the IP address of the GUI Client (ie. 192.168.2.100) in the Remote hostname field.

Click on the “Add ->” button

Click on OK in the Check Point Configuration Tool window.

Note: If procedures above do not resolve the GUI client being unable to successfully connect to the SmartCenter server, verify the TCP port 18190 is not filtered or blocked between the GUI client and the SmartCenter server. On the FireWall-1 NG Policy Editor, TCP port 18190 is a pre-defined service called CPMI (Check Point Management Interface). If a firewall module is filtering or blocking the CPMI (Check Point Management Interface) service between the GUI client and SmartCenter server, a rule similar to the following example may need to be added:

SOURCE: GUI_client (GUI client machine)
DESTINATION: SmartCenter server (SmartCenter server)
SERVICE: CPMI (TCP port 18190)
ACTION: accept
TRACK: Log

In addition to allowing the CPMI (Check Point Management Interface) service between the GUI client and SmartCenter server, verify “Accept VPN-1 & FireWall-1 control connections” is enabled in Global Properties. Since the firewall module on the SmartCenter server itself is filtering or blocking the CPMI (Check Point Management Interface) service in this case, it may be necessary to uninstall the current security policy before a new policy can be installed.
This can be done with the following procedure:On the security gateway, issue the command fwm unload localhost.

Once the security policy is uninstalled from the security gateway, on the SmartCenter server, “Accept VPN-1 & FireWall-1 control connections” can be enabled by the following procedures:

On the SmartDashboard

Select Policy > Global Properties.

In Global Properties dialog box, select FireWall-1 from the left pane.

In FireWall-1 Implied Rules properties, enable “Accept VPN-1 & FireWall-1 control connections”.

Click OK in Global Properties dialog box.

Install security policy.

If the “Accept VPN-1 & FireWall-1 control connections” check box needs to be unchecked in the Global Properties, the CPMI (Check Point Management Interface) service can be allowed between the GUI client and SmartCenter server by an explicitly defined rule in the rulebase. A rule similar to the following example will allow the CPMI (Check Point Management Interface) service between the GUI client and the SmartCenter server:

SOURCE: GUI_client (GUI client machine)
DESTINATION: SmartCenter server (SmartCenter server)
SERVICE: CPMI (TCP port 18190)
ACTION: accept
TRACK: Log.

Note:
If after running a ‘log switch’ you are unable to log in, follow this procedure:

Reboot your SmartCenter server.

When prompted to approve the new fingerprint – Approve.

SmartDashboard should now open successfully.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *