Tuesday, July 10, 2012

How to reset SIC for a Virtual System

In a very rare occasion you may have SIC issues with a VSX-based security system. In most of the cases it surfaces as a communication failure for one or several Virtual Systems.

It would be quite easy to fix failing SIC in case of a physical FW: you just need to reset in on both MGMT and GW side and to re-initialize it from the SmartDashboard.

In case of VS it is not that easy. You should follow the procedure, explained in SK34098. But before I will give you a short overview of the procedure, there are three important points to mention:

1. Do not try to reset SIC with the physical members of your VSX cluster. It will lead to even bigger problems, and will not help to restore SIC on a particular VS.
2. Follow the procedure bellow only if you are absolutely sure these is no communication problems, and local time settings on both GW and MGMT are fine. Remember, this procedure is the last resort, and if you do not follow it carefully, you may cause even more damage.
3. If any of the mentioned bellow does not seem familiar to you or if you have any doubt, call your support contact and ask them for help.

Said that, let's fix the issue.

Step 1: Identify ID number of the failing VS.
Step 2: Reset SIC for this VS on GW side. To do that, run the following command:

fw vsx sic reset {VS_ID}

Step 3: SIC reset on MGMT side. Go to the target CMA (one managing the problematic VS) by typing the following command on MDS console:

mdsenv {CMA_NAME}

Identify SIC name for the VS. To do that, run

cpca_dbutil print InternalCA | grep {Virtual_System_Name}

Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.

Once you get the full SIC name, run the following command:

cpca_client revoke_cert -n CN={VS_SIC_Name}

Step 4: Recreating SIC. Open SmartDashboart to target CMA and double-click on the problematic VS. Press OK button. On this step SIC should be re-created successfully.

You may want to install policy on this VS once all's done.

3 comments:

  1. >>
    Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.
    >>

    I agree with you, the SK34098 says to launch a Web-UI that listen on port 18265 which for me never works/new firewall rule to allow that port on my management network.

    I use:

    cpca_client lscert

    to list all the VS CN names (need R65 HFA 50 or above,command does exist before that) but cpca_dbutil InternalCA works great as well. Thanks for writeup, works great!

    ReplyDelete
  2. The sk34098 (How to reset SIC on a VSX Gateway for a specific Virtual System) was modified

    ReplyDelete