000019012 - Error: 'Cannot communicate with ACE/Server' in Check Point Firewall

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019012
Applies ToMicrosoft Windows 2000 Server
Microsoft Windows NT Server
Check Point Firewall 4.1 SP2
RSA ACE/Server 4.1 (no longer supported as of 2-1-2004)
RSA ACE/Server 5.0 (no longer supported as of 8-15-2004)
IssueError: "Cannot communicate with ACE/Server" in Check Point Firewall
Port 5500 is open on ACE/Server and firewall
The client can ping the master IP and return the name (and vice versa)
The master can ping the client IP and return the name (and vice versa)
CauseThis might be due to lack of use of Fully Qualified Domain Names (FQDNs)
ResolutionCheck the following:

1) If using DNS check that the DNS server uses FQDNs.

2) If using a hosts files check that along with the entry for the short name there is also an entry for the FQDN. Host files should have the format:

<IP> *tab* <FQDN> *tab* <short name>

For example: *tab* foobar.csuk.securid.com *tab* foobar

3) Check that the ACE/Server configuration file, sdconf.rec, has FQDNs. The sdconf.rec can be checked in the following ways:

Under NT (on the master): Programs --> ACE/Server --> Configuration Management

Under UNIX (on the master): sdsetup -config

4) Check the ACE/Server database has FQDNs in each of the client entries (Client --> Edit Client). Normally the ACE/Server does its own name lookup and this is a good check to see if the ACE/Server is picking up what it thinks is the correct IP for a particular name. Place the cursor in the Client Name field and hit TAB to take you to the IP address field. The ACE/Server does a name lookup to fill in the IP address field. If you then TAB out of the IP address field, the ACE/Server automatically does a reverse lookup, which updates the Client Name field.

NOTE: For RSA ACE/Server 5.x, any reference to a Client should be considered to be a reference to an Agent Host. e.g. (AgentHost->Edit AgentHost)
Legacy Article IDa5172