|Applies To||RSA ACE/Server|
Check Point Firewall
|Issue||Simplified Nokia Check Point NG configuration|
Check Point NG Setup
Error: "Node verification failed"
Passcode / Password Incorrect
|Cause||The Nokia is using an IP address for encryption that is different than the one defined in ACE|
|Resolution||To correct this issue, determine the Firewall interface/IP that is on the same subnet as the ACE Server, or that is used to transmit data to the ACE Server.|
Interface that routes to ACE = 10.1.1.1
Directory with sdconf.rec = /var/ace
ACE Server resolves Nokiabox to 10.1.1.1 using hosts file or DNS
Create file on Firewall named /var/ace/sdopts.rec
content of file:
ACE Server Agent Host definition
Open to all locally known users enabled (at least for testing)
What the above sdopts.rec does:
Instead of Nokiabox trying to determine its own identity/IP that it will use to encrypt traffic to the ACE/Server, our API grabs the identity from the sdopts.rec file instead.
Secondary Nodes are not necessary in this configuration because the client identifies itself with the same identity as the packet that is entering the ACE Server's 5500 port.
NOTE: The same solution above works for Windows, the location of the sdopts.rec file is in the Windows System32 directory.
|Notes||Update: Newer versions of Check Point may NOT use sdopts.rec . From the 2013 guide for Check Point R77:|
RSA SecurID Authentication Files
sdconf.rec /var/ace, %SystemRoot%\system32\
Node Secret /var/ace, System Registry
sdopts.rec Not implemented
|Legacy Article ID||a17105|