Troubleshooting Specific Problems

Cannot Establish SIC Trust for VSX Gateway or VSX Cluster Member

When creating a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member Security Gateway that is part of a cluster., you cannot establish SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust. SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. shows an error message:

Certificate cannot be pushed. Connection error with wait agent.

Possible Causes	How to Resolve
Check that you have network connectivity between the gateway and the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. by pinging from the VSX system (a ping from the Management Server to the VSX Gateway will not work because of the default security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. installed on the VSX Gateway / VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member). Make sure the context is`vrf 0` first.	On all relevant machines, re-check the cables, routes, IP addresses and any intermediate networking devices (routers, switches, hubs, and so on) between the management and the gateway(s).
Check that all the Check Point processes on the VSX Gateway(s) are up and running by running the "`cpwd_admin list`" command and making sure each line has a non-zero value in the `PID` field.	If the gateway(s) has just rebooted, the Check Point processes might still be coming up.
Check that the CPD process is listening to the trust establishment port.	Run `netstat -an \| grep 18211` on the VSX Gateway(s), and make sure that output looks like this: `tcp 0 0 0.0.0.0:18211 0.0.0.0:* LISTEN`