Article Number
000034115
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
Issue
There are two standard agents for Check Point firewall with physical IP addresses and implemented sdopts.rec with the physical IP in it.
In this example,
- There is a Check Point R77 firewall with two clusters.
- Cluster 1 has a physical IP address of x.x.x.101.
- Cluster 2 has a physical IP address of x.x.x.102.
- Cluster 1 and Cluster 2 are a member IPs of the virtual IP address x.x.x.100.
With this configuration, authentication fails with the following message in the Authentication Activity Monitor:
Activity Key: Lookup Authentication agent
Description: Lookup authentication agent by IP address "x.x.x.101"
Reason: Authentication agent not found
Resolution
To resolve this issue follow the steps below:
- In the Security Console, select Access > Authentication Agents > Add New (or Manage Existing, as the case may be).
- Create (or modify) an agent using the virtual IP address in IPv4 format in the Authentication Agent Basics section.
- Click Save when done.
- On the Cluster 1 agent machine, open a text editor and create a file named sdopts.rec.
- In the file add the following entry using the IPv4 virtual IP address, as in the example here:
CLIENT_IP=<virtual IP address>
For example
CLIENT_IP=10.100.100.100
- ave and close the file. A restart of the agent is not required.
- Test authentication against Cluster 1.
- Authentication should be successful and the node secret file named securid will be created in the agent directory (/var/ace/ by default)
- Copy the following files: sdconf.rec, sdopts.rec and securid to standby firewall (Cluster 2)
- This should enable the standby to take authentication requests when it becomes active.
Notes
Adding the virtual IP address as an alternate IP address for the active Check Point firewall enables a successful authentication but it is only limited to one cluster.
