000034115 - Unable to authenticate to Authentication Manager 8.x with a Check Point firewall in a clustered environment where a virtual IP address was implemented

Document created by RSA Customer Support Employee on Oct 31, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034115
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
 
IssueThere are two standard agents for Check Point firewall with physical IP addresses and implemented sdopts.rec with the physical IP in it. 
In this example,
  • There is a Check Point R77 firewall with two clusters.
  • Cluster 1 has a physical IP address of x.x.x.101.
  • Cluster 2 has a physical IP address of x.x.x.102.
  • Cluster 1 and Cluster 2 are a member IPs of the virtual IP address x.x.x.100.
With this configuration, authentication fails with the following message in the Authentication Activity Monitor:

Activity Key: Lookup Authentication agent 
Description: Lookup authentication agent by IP address "x.x.x.101" 
Reason: Authentication agent not found

ResolutionTo resolve this issue follow the steps below:
  1. In the Security Console, select Access > Authentication Agents > Add New (or Manage Existing, as the case may be). 
  2. Create (or modify) an agent using the virtual IP address in IPv4 format in the Authentication Agent Basics section.
  3. Click Save when done.
  4. On the Cluster 1 agent machine, open a text editor and create a file named sdopts.rec.
  5. In the file add the following entry using the IPv4 virtual IP address, as in the example here:
CLIENT_IP=<virtual IP address>

For example

CLIENT_IP=10.100.100.100

  1. ave and close the file.  A restart of the agent is not required.
  2. Test authentication against Cluster 1.
  3. Authentication should be successful and the node secret file named securid will be created in the agent directory (/var/ace/ by default)
  4. Copy the following files:  sdconf.rec, sdopts.rec and securid to standby firewall (Cluster 2) 
  5. This should enable the standby to take authentication requests when it becomes active.
NotesAdding the virtual IP address as an alternate IP address for the active Check Point firewall enables a successful authentication but it is only limited to one cluster.

Attachments

    Outcomes