Question

Load on Module failed - failed to load Security Policy

Asked by: DesCaffreys

Checkpoint VPN-1 & Firewall-1 NGX (R65) Build 427

Hi,

Following a power failure my checkpoint firewall running on windows 2000 server SP4 is refusing to push a policy.  The rulebase in Smartdashboard looks intact, but when I try to push the policy the push fails.  The The 'Verify Policy' confirms all OK, but the push fails on the Advanced Security policy push.  

'The  Desktop Security policy pushes OK, but the push ends with errors;

SYMPTOM 1
Advanced Security - Installation failed. Reason: Load on Module failed - failed to load Security Policy

SYMPTOM 2
On opening SmartView Tracker I get an error
' Failed to read record no 1'

SYMPTOM 3
On opening SmartView Monitor it reports
SmartCenter - Error: SmartCenter CA is not running
Firewall - Error: The security policy is not installed on rar_fw1
VPN - Up but nothing running
SecureClient Policy Server - Error: Policy Server is down

SYMPTOM 4
cpstop and cpstart both report success when tried.

SYMPTOM 5
'fw stat' now shows no policy installed

SYMPTOM 6
'fw fetch rar_fw1' now shows
'Users Database is lost: unable to reload

Failed to read database.
Probably module was never loaded'

SYMPTOM 7
I tried to 'Install Database' in the policy menu.  It reported success but still unable to push policy correctly.

SYMPTOM 8
I tried to perform an upgrade_export to get a current copy of the firewall using the following command;

upgrade_export CPFW_NGXR65_11JAN08

But I got,
Checking the existence of necessary files...
Copying files to temp dir...
Error: Failed to copy files to temporary directory

SYMPTOM 9
A complete reboot has no effect.


Any help would be most appreciated as I have about 30 people looking at walls at the moment.
Thanks

 

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-01-11 at 06:47:32ID23075724
Tags

Checkpoint

,

VPN-1 & Firewall-1

,

NGX (R65) Build 427

Topics

Checkpoint Firewall

,

Enterprise Firewalls

Participating Experts
1
Points
500
Comments
11

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Checkpoint FW with Win2k Radius authentication
    Hi Experts We have the following requirement , We need to authenticate our VPN client (which are using Checkpoint Secure client) to get authenticated by RADIUS server. Has anyone already have this setup. If yes then please give a step - by step procedure of how to s...
  2. Checkpoint Express Gateway to Gateway IPSEC VPN
    I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters: - Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1) - Remote Gateway must be configured as an Interoperable devi...
  3. Checkpoint Policy Fails to install
    I am an unusual problem, hopefully some one can help , here is the problem, i am running two Nokia 440 with ipso 3.6 and Checkpoint NG FP 3, these are deployed in a HA cluster, the master recievies the policy no problem an runs very well, the slave however has problems when u...
  4. Checkpoint FW ipv6-crypt packets being dropped
    We're running a Checkpoint firewall, and are running into a problem accessing our internal VPN server from outside our network. I've setup a rule allowing several ports access already, and some stations work fine when connecting to the VPN. Other stations will not connect t...
  5. Checkpoint FW NGX
    Hello all I have been tasked with the setup of a new checkpoint FW NGX in a VMware enviroment. The FW was install and the IP address is 10.56.1.220 We currently had a working FW, but the plan is to move the rule base to the new VMware FW. I can connect to the VMware FW no ...
  6. Checkpoint FW stops allowing traffic to flow
    Running a Checkpoint FW version R55 on a Windows 2000 SP4 server. Tonight the FW stopped allowing traffic to flow and the only messages I had in the system log were Event ID 1 Source FW1 that says: fwconn_chain_get_something: fwconn_chain_lookup failed (5). A reboot was a tem...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: DesCaffreysPosted on 2008-01-11 at 10:53:51ID: 20638989

Some additional info;

I tried to rename $FWDIR\conf\InternalCA_bak.NDB to InternalCA.NDB .  swapping this file in made no difference so i reverted.

Also I tried an update_export using the -d option and got the following amongst the output

Copying files to temp dir...
[ 868 1856]@[11 Jan 19:43:20] CopyDirToTempDir: Warning >> C:\WINNT\FW1\R65\fw1\conf points to C:\WINNT\FW1\R65\fw1\conf\InternalCA_RECOVERY.NDB232, which does not exist.  It might be a problem!

A candidate for 'Understatement of the year' I think, 'It might be a problem' indeed!

Still no further but will continue trying things,
 

 

by: grimkinPosted on 2008-01-12 at 05:07:18ID: 20643654

Hi Des,

Culprit is most probably file corruption following the power cut. Do you have a backup of this machine? Or an earlier upgrade_export? If so, then the most reliable way to proceed would be to restore it .. If you have an upgrade_export I would seriously consider building a new Secure Platform machine and replacing the Windows box as windows is not the greatest Checkpoint platform.

You could also try renaming the objects5_0.C file (or similar, I forget the exact name) with a backed up version but this would be seriously last-resort stuff and I would rather spend the time rebuilding.

Please let me know what your backup status etc is,

Cheers

 

by: DesCaffreysPosted on 2008-01-12 at 05:19:23ID: 20643677

Hi grimkin,

I'm currently building a separate box to attempt a restore using an upgrade_export from june.

So far I configured the Dell Poweredge 2400 with  RAID 1.  I've installed Windows 2000 Server SP4 and just completed all windows updates (0 outstanding).  Just after that I installed Dell OpenManage and was just now considering starting the Checkpoint Install.

However, I'm apprehensive about the install process.  I have an upgrade_export dump but have never tried an install before.

 

by: DesCaffreysPosted on 2008-01-12 at 06:21:02ID: 20643830

Additional info;

Just in the process of checkpoint install.

Just finished install.

Tried to open Smartview Tracker, cannot connect (tried both internal and external addresses) error as follows;  

'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI Client'

Then tried to start Checkpoint Configuration and getting error as follows;

cpconfig.exe - Entry Point Not Found
'The procedure entry point ??_U@YAPAXI@Z could not be located in the dynamic link library MSVCRT.dll'

HELP!

PS. I've added the external IP to the hosts file as was the case on the previous computer.

Cheers

 

by: DesCaffreysPosted on 2008-01-12 at 06:46:44ID: 20643939

Update;

Working on updating MSVCRT.DLL currently version 6.0.8337.0, found 6.1.9844.0 in dllcache so going to try and copy newer version in.

 

by: DesCaffreysPosted on 2008-01-12 at 08:15:27ID: 20644347

update;

OK, started 2000 recovery console and copied new msvcrt.dll into c:\winnt\system32.  Now the computer is booting without the above errors.

 I can now get into the checkpoint configuration tool but I'm unable to open SmartDashboard.

Error as follows;
'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI client'


By the way, the firewall is completely contained on one computer i.e. Enforcement module' and GUI.

also;
entries in Checkpoint Configuration Tool tabs appear the same as the original firewall.
CA is Initialized,
Fingerprint is identical

Any ideas


 

by: DesCaffreysPosted on 2008-01-12 at 08:52:31ID: 20644486

update;

according to the manual, if the enforcement module and console reside on the same computer, you don't have to define a permitted remote host in the check point configuration tool, or something to that effect.

I'm still having the same initiation problem as above.

I've checked whats listening on the computer and see using netstat -a that there is no port 18190 listening.  There is listening on 18191, 18192, 18196 but not 18190 as the checkpoint usercenter document states.

I tried fwm unload local, but i get the following error;

'The requested command can not be run because this station is not configured. Aborting.'

I tried adding the external, internal and loopback addresses to the permitted remote hosts list but to no effect. I've also tried connecting smartdashboard to these addresses.

still stuck


 

by: grimkinPosted on 2008-01-12 at 10:55:36ID: 20644886

Hi Des,

Which version of CP were you running when you took the upgrade_export? Was it R65? If not then you may need to build a box running the older version and import it into that; you could then re-export it so that it would be compatible with R65.

 

by: DesCaffreysPosted on 2008-01-12 at 11:07:45ID: 20644932

Grimkin,

thanks again for your help.

The CP versions are the same, NGX R65.

I noticed earlier that the Check Point Firewall-1 service was set to manual startup so I've now set it to automatic, but still no joy.

fw stat currently shows;

localhost InitialPolicy 12Jan2008 19:01:49 :  [EL98x2]

Still stuck with initiation problem

cheers

 

by: DesCaffreysPosted on 2008-01-13 at 15:52:11ID: 20649913

Grimkin,

In relation to the original problem, corrupted database, I've decided (pushed by pressure to get back on the net), to go for your idea of a restored update_export from june 07.  I'll have to play catch up on the rulebase, but email is critical to the client. Thankfully, my backup MX has been shouldering the burden since friday.

In relation to the unexplained inability to connect to the console on the second firewall after a new install, that can be explained by the MSVCRT.DLL problem.  It appears that after rebooting the second firewall after the 'install using saved configuration', the DLL error just happened to appear, probably caused by some of the RAID or management related software I had installed prior to check point.  However, timing was everything, because when the initial Checkpoint configuration screen tried to display on reboot the DLL was wrong.  Therefore because I was unaware of the fact that this configuration program was due to appear, I didn't necessarily associate the fact that it was the check point configuration that was triggering the DLL error, while not in fact being responsible for it. So once the DLL issue had been dealt with (as above), I was able to uninstall and reinstall check point and go through the initial configuration dialog which subsequently allow me into Dashboard.

So basically I then took a risk and uninstalled the CP software from the original box and reinstalled.  The firewall is up and mail is flowing.

I have learned a thing or two about the install (albeit with saved configuration) and I am not quite so intimidated.  The whole licensing area frightened me, but the 'saved configuration' saved me this pain.  We have also now decided that the second box will be used as a 'cold' standby, which leads me to another question.

If you get a moment I would very much appreciate your opinion over at

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Checkpoint_Firewall/Q_23079090.html

Cheers and thanks again for your help.
 

.

 

by: grimkinPosted on 2008-01-13 at 16:07:18ID: 20649950

Hi Des,

Glad you got it sorted. If you get the chance, give  Secure Platform a looking at - it's a Linux distro by Checkpoint, very stable and very quick to get up and running or repair. I'll take a look at your other Q now,

Cheers
Ben

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...