Article Number | 000034115 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1 or later |
Issue | There are two standard agents for Check Point firewall with physical IP addresses and implemented sdopts.rec with the physical IP in it. In this example,
- There is a Check Point R77 firewall with two clusters.
- Cluster 1 has a physical IP address of x.x.x.101.
- Cluster 2 has a physical IP address of x.x.x.102.
- Cluster 1 and Cluster 2 are a member IPs of the virtual IP address x.x.x.100.
With this configuration, authentication fails with the following message in the Authentication Activity Monitor:
Activity Key: Lookup Authentication agent Description: Lookup authentication agent by IP address "x.x.x.101" Reason: Authentication agent not found |
Resolution | To resolve this issue follow the steps below:
- In the Security Console, select Access > Authentication Agents > Add New (or Manage Existing, as the case may be).
- Create (or modify) an agent using the virtual IP address in IPv4 format in the Authentication Agent Basics section.
- Click Save when done.
- On the Cluster 1 agent machine, open a text editor and create a file named sdopts.rec.
- In the file add the following entry using the IPv4 virtual IP address, as in the example here:
CLIENT_IP=<virtual IP address>
For example
CLIENT_IP=10.100.100.100
- ave and close the file. A restart of the agent is not required.
- Test authentication against Cluster 1.
- Authentication should be successful and the node secret file named securid will be created in the agent directory (/var/ace/ by default)
- Copy the following files: sdconf.rec, sdopts.rec and securid to standby firewall (Cluster 2)
- This should enable the standby to take authentication requests when it becomes active.
|
Notes | Adding the virtual IP address as an alternate IP address for the active Check Point firewall enables a successful authentication but it is only limited to one cluster. |