Solved

Checkpoint Policy Fails to install

Posted on 2004-08-27
12
3,025 Views
Last Modified: 2013-11-16
I am an unusual problem, hopefully some one can help , here is the problem, i am running two Nokia 440 with ipso 3.6 and Checkpoint NG FP 3, these are deployed in a HA cluster, the master recievies the policy no problem an runs very well, the slave however has problems when u either push the policy, or do a fetch on the policy, the error i recieve when pushing is that there is not enough memory on the module (Both have 256 MB), when i do a fetch i get one of two errors, sic name does not match, management server refuses connection or failed to read database, probally module was never installed. The sic has been checked and reset on a few occasions to try and rectify this problem. On the console screen of the module the following error apear during a push
"FW-1 fwulr_patternfilter_load :failed to compile patterens to regular expression"
This box has been completely rebuilt from scratch as well with the same issues.
I know we are running an old IPSO version and old NG versions, but upgradeing is not an option untill the HA cluster is up and running.
Any help appreciated

tul0rjs
0
Comment
Question by:tul0rjs
12 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
First of all this has nothing to do with the versions
I run NG fp3 and I just upgraded to the last ipso before that I was on 3.6 too without any problems.
Are you sure your hardware is ok ? Like a memory barret that is broken ?
I had it once and that was because my system name was not the same as in the policy this could lead to those problems. Also bind your hostname to the interface where you receive the policy.
0
 
LVL 18

Expert Comment

by:larstr
Comment Utility
This error message usually comes when there are not enough memory available (if you have upgraded from 4.1 to fp3 and not put in additional memory). 256Mb is minimum and I can see you write that both boxes have 256Mb. As bloemkool1980 suggests I would check that the memory is ok on the box that fails to install.
0
 

Author Comment

by:tul0rjs
Comment Utility
Ok, from voyager it is telling me that there is 256 MB ram installed and shows no errors, is there a way to test the memory to make sure it is ok.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Memory is tested on bootup.  However, have you got the correct pairing and parity memory ?
A quickfire way of testing this is to swap all the memory from the working unit, to the slave.
I've not seen these errors before, but when you say HA cluster have you enabled clustering on the Nokia ?  Or are you going for a straightforward VRRP monitored circuits failover design ?
Has the FW object on the management station picked up the correct version of NG ?
It may help if you remove all references to the secondary firewall on the mgt server, push the policy, then create a new secondary firewall object.
0
 

Author Comment

by:tul0rjs
Comment Utility
Tim,
I have tried swapping the memory from the current working box, witht he same results. I dont think its a hardware issue (although i may be wrong). The HA Cluster is the straight forward VRRP monitored circuits failover design. When i first set up these on the mgt server it picked up the correct version of NG, now i have even more problems, when i do a cpstop and start it now tells me that "i cannot located my Network Object" also the cpha tells me that this machine is not part of a cluster....even though the are configured in a cluster object on the mgt station.the primary server has no problems accepting any policy i push to it and it is running fine, only concern now is that i dont have a working failover if anything happens the master fw.Also when i do a retrive on the products list from the module it fails to retrieve anything from the box. NO logs are going to the mgt server either...The SIC is communicateing fine and is established with a trust. ANd this box was rebuild from scratch only last Friday...i really am at a loss here.....
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Has cpha been enabled (via cpconfig in IPSO) on both Nokias ?
If you cannot locate 'my Network Object', then check these files on IPSO -

/etc/nodename
/etc/hosts

Also, verify the correct object definition on the mgt server.

Have you tried an fw sic_reset ?

Do you have valid licenses for everything ?  Have you removed any old, invalid eval licenses ?

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:tul0rjs
Comment Utility
Tim,

Thanks for the comments, i have checked the relevant files and the do exist and contain the correct data, aslo cpha has been enabled on both Nokias, when cpha starts it says the cluster object "fwkdebug_register: module cluster already registered" then it returns a " fwha_kdebug_register: fwkdebug_register failed". I have also tried sic resets on numurous occasions, i can get the sic established and trusted no problem......do you think this is a hardware problem?..
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
From the FP3 release notes:

http://www.allasso.fr/base/docs/11033396526.pdf

The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FireWall-1: fwkdebug_register: module cluster already registered
FireWall-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.

Are you sure there's nothing silly like a duplicate IP or MAC address ??
0
 

Author Comment

by:tul0rjs
Comment Utility
Tim,

Checked everywhere for duplicate IP and MAC addresses, none that i could find.this is really a weird problem, logic says that it should be working fine......really hitting the wall with this one..I am going to try a different box tongiht to rule out hardware problems. If i still have an issue then i dont know what else to try......
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Does the hostname resolve properly from the management server ?
You could try separating this out.  Give the problem firewall a different IP address, and install it as a primary firewall and check you can push a policy to it ?
If you're doing VRRP, make sure you've defined Proxy ARPs properly and are not gratuitously ARPing incorrect information.  Also, if attached to a STP switch, make sure the switch is not looping or forwarding packets out of the wrong ports.
Is your mgt server running FP3 ?  Do you have a separate mgt server running on Windows, and then the 2 Nokia boxes ?
0
 

Author Comment

by:tul0rjs
Comment Utility
Tim,

Yes the management server is running on Windows and is running NG AI, as there are other firewalls in different location managed by this server. The licenses i have are for a cluster so i dont know if i can install this as a different primary firewall without impacting the other.the switch that the firewall is connected to is a cisco switch , i have checked the config and everything is ok. I will have a look at the arping and name resoultion and let u know hopw i get on, many thanks for all the help.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
Comment Utility
Does fw stat on the 2nd firewall actually list any installed policies ?
If default is there, try unloading it (fw unload default) before fetching a policy.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now