000018196 - 'Signature Violation: MAC' Error when authenticating through an Address Translating Firewall

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018196
Applies ToAddress Translation
RSA ACE/Server
Check Point Firewall-1
IssueError: "Signature Violation: MAC" in the Event Viewer Log (Windows NT) or System Log (UNIX) on the Firewall Host
CauseACE/Server uses a MAC signature to verify the identity of the client.  One element of the MAC Signature uses the source port and IP address to uniquely identify the authentication request.  Because address translation translates port numbers as well as IP addresses, even if the client has a static translated address the authentication may fail.
ResolutionThe firewall may have a "tunneling" mode where ACE authentication traffic can go through with the port left intact and the ip address unchanged or in a static translation mode.  If that is not feasible, you can generate an ACE/Server configuration record (sdconf.rec) to use on that client with a protocol version that predates the MAC identifier enhancement.  Note: this will reduce security as the MAC signature helps to verify the identity of the client.

Obtain a copy of the "2.2 sdconf.rec Utility" from RSA Tech Support.  The syntax of the command is:
sdconf22 sdconf.rec sdconf.new 6.

The arguments to the command are source sdconf.rec, new sdconf.rec, version number to add to the sdconf.rec file (version 6 is the version prior to adding the MAC Signature).

The updated file is only needed on the firewall which is doing the address translation, all other clients and the server can continue to use the unaltered sdconf.rec.
Legacy Article ID6.0.2161713.2814562