Article Content
Article Number | 000021417 |
Applies To | Check Point Firewall Nokia IPSO RSA ACE/Server |
Issue | Check Point on Nokia appliances not able to authenticate users with RSA SecurID Users cannot successfully perform a SecurID authentication In /var/log/messages, the following message is recorded: [LOG_ERR] ACEAGENT: The message entry does not exist for Message ID: 1008 |
Cause | It is not possible to determine which IP address the appliance is using to encrypt communication with the SecurID server |
Resolution | For each node in the cluster determine the main IP address. Every node should have a unique "main" IP address. (Use for example the IP address used as management IP bye the Check Point software). For every node in the cluster, perform the following steps: 1. Create the sdopts.rec file in the /var/ace directory 2. Using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=10.10.111.10 {main_ip_address ## as determined in step 1} 3. On the ACE/Server, create a new node. The main IP address is the "unique" IP address you determined in step 1. 4. Define as secondary IPs the IP addresses used as source IP address in the SecurID packet send to the SecurID server (NOTE: You can determine the address by sniffing an ACE request on the ACE/Server). 5. Stop and start FW-1 and try to authenticate. For more information about using SDOPTS.REC, see the solution regarding How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent |
Legacy Article ID | a22844 |