|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
|Issue||There are two standard agents for Check Point firewall with physical IP addresses and implemented sdopts.rec with the physical IP in it. |
In this example,
With this configuration, authentication fails with the following message in the Authentication Activity Monitor:
- There is a Check Point R77 firewall with two clusters.
- Cluster 1 has a physical IP address of x.x.x.101.
- Cluster 2 has a physical IP address of x.x.x.102.
- Cluster 1 and Cluster 2 are a member IPs of the virtual IP address x.x.x.100.
Activity Key: Lookup Authentication agent
Description: Lookup authentication agent by IP address "x.x.x.101"
Reason: Authentication agent not found
|Resolution||To resolve this issue follow the steps below:|
- In the Security Console, select Access > Authentication Agents > Add New (or Manage Existing, as the case may be).
- Create (or modify) an agent using the virtual IP address in IPv4 format in the Authentication Agent Basics section.
- Click Save when done.
- On the Cluster 1 agent machine, open a text editor and create a file named sdopts.rec.
- In the file add the following entry using the IPv4 virtual IP address, as in the example here:
CLIENT_IP=<virtual IP address>
- ave and close the file. A restart of the agent is not required.
- Test authentication against Cluster 1.
- Authentication should be successful and the node secret file named securid will be created in the agent directory (/var/ace/ by default)
- Copy the following files: sdconf.rec, sdopts.rec and securid to standby firewall (Cluster 2)
- This should enable the standby to take authentication requests when it becomes active.
|Notes||Adding the virtual IP address as an alternate IP address for the active Check Point firewall enables a successful authentication but it is only limited to one cluster.|