000029119 - Error message "The SIC infrastructure was unable to establish the connection" when integrating Check Point firewall with RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Feb 1, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029119
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, VLC / RC
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
O/S Version: EL6
Issue

The Check Point connection with RSA Security Analytics fails with the following error message in the /var/log/messages file:



The SIC infrastructure was unable to establish the connection



All the event source parameters have been configured correctly according to the RSA Check Point integration guide. However the Check Point connection fails with the error above.



Debug logs on Security Analytics display the following error messages:




[ 25805 4148672768]@xxxxxxx[6 Nov 16:06:51] pushing dgtype=10a len=0 to list=0x9893224
[ 25805 4148672768]@xxxxxxx[6 Nov 16:06:51] fwasync_conn_params: <ac1f027f,35516> -> <ac1f024f,18184>
[ 25805 4148672768]@xxxxxxx[6 Nov 16:06:51] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 25805 4148672768]@xxxxxxx[6 Nov 16:06:51] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] fwasync_mux_timeout: 10: timed out after 25000 miliseconds
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] fwasync_mux_timeout: 10: inbuf: 0/4 outbuf: 0/0 state: 817f3b0 1
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] fwasync_mux_timeout: 10: calling handler 817e9c0
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] timeout_handler: Timeout on SIC conn 10
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] fwasync_set_events: connection 10 already closed
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] sic_client_end_handler: for conn id = 10
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] opsec_auth_client_connected: connect failed (148)
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] opsec_auth_client_connected: SIC Error for lea: timeout elapsed during authentication protocol.
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] opsec_auth_client_connected:conn=(nil) opaque=0x98a6550 err=0 comm=0x9893208
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] comm failed to connect 0x9893208
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] OPSEC_SET_ERRNO: err =  8  Comm is not connected/Unable to connect (pre =  0)
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] COM 0x9893208 got signal 131075
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] destroying comm 0x9893208
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] Destroying comm 0x9893208 with 1 active sessions
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] Destroying session (98aa220) id 3 (ent=989b1a8) reason=SIC_FAILURE
[ 25805 4148672768]@xxxxxxx[6 Nov 16:07:16] SESSION ID:3 is sending DG_TYPE=3
CauseThe default hard-coded buffer size on the Check Point firewall is not sufficient
ResolutionTo resolve the issue, the Check Point admin needs to modify the file $FWDIR/conf/fwopsec.conf and add the following string to increase the buffer size:
 
lea_server conn_buf_size 2000000


Ideally this file should have the following lines appended for the Check Point firewall to work properly with RSA Security Analytics:

lea_server auth_port 18184
lea_server port 0
lea_server auth_type sslca
lea_server conn_buf_size 2000000


 
NotesPlease refer to How to run the Check Point collection service from command line for troubleshooting on an RSA Security Analytics Log Collector for details on how to enable debug on the SA Log Collector to view enhanced Check Point integration logs.

For the newer versions of the Check Point Security Suite, security to access Check Point Management Console has been hardened. Please note the following:
  • For version R61 and newer, you cannot use the no authentication method to connect to the console. You need to use auth_OPSEC or SSLCA as the authentication method.
  • For version R71 and newer, you cannot use the no authentication nor the auth_OPSEC method to connect to the console. You need to use SSLCA as the authentication method.
  • RSA recommends that customers use SSLCA as the authentication method whenever possible.

Attachments

    Outcomes