Checkpoint Policy Fails to install

Posted on 2004-08-27
Last Modified: 2013-11-16
I am an unusual problem, hopefully some one can help , here is the problem, i am running two Nokia 440 with ipso 3.6 and Checkpoint NG FP 3, these are deployed in a HA cluster, the master recievies the policy no problem an runs very well, the slave however has problems when u either push the policy, or do a fetch on the policy, the error i recieve when pushing is that there is not enough memory on the module (Both have 256 MB), when i do a fetch i get one of two errors, sic name does not match, management server refuses connection or failed to read database, probally module was never installed. The sic has been checked and reset on a few occasions to try and rectify this problem. On the console screen of the module the following error apear during a push
"FW-1 fwulr_patternfilter_load :failed to compile patterens to regular expression"
This box has been completely rebuilt from scratch as well with the same issues.
I know we are running an old IPSO version and old NG versions, but upgradeing is not an option untill the HA cluster is up and running.
Any help appreciated

Question by:tul0rjs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 11913036
First of all this has nothing to do with the versions
I run NG fp3 and I just upgraded to the last ipso before that I was on 3.6 too without any problems.
Are you sure your hardware is ok ? Like a memory barret that is broken ?
I had it once and that was because my system name was not the same as in the policy this could lead to those problems. Also bind your hostname to the interface where you receive the policy.
LVL 18

Expert Comment

ID: 11922718
This error message usually comes when there are not enough memory available (if you have upgraded from 4.1 to fp3 and not put in additional memory). 256Mb is minimum and I can see you write that both boxes have 256Mb. As bloemkool1980 suggests I would check that the memory is ok on the box that fails to install.

Author Comment

ID: 11926321
Ok, from voyager it is telling me that there is 256 MB ram installed and shows no errors, is there a way to test the memory to make sure it is ok.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 23

Expert Comment

by:Tim Holman
ID: 11931098
Memory is tested on bootup.  However, have you got the correct pairing and parity memory ?
A quickfire way of testing this is to swap all the memory from the working unit, to the slave.
I've not seen these errors before, but when you say HA cluster have you enabled clustering on the Nokia ?  Or are you going for a straightforward VRRP monitored circuits failover design ?
Has the FW object on the management station picked up the correct version of NG ?
It may help if you remove all references to the secondary firewall on the mgt server, push the policy, then create a new secondary firewall object.

Author Comment

ID: 11931443
I have tried swapping the memory from the current working box, witht he same results. I dont think its a hardware issue (although i may be wrong). The HA Cluster is the straight forward VRRP monitored circuits failover design. When i first set up these on the mgt server it picked up the correct version of NG, now i have even more problems, when i do a cpstop and start it now tells me that "i cannot located my Network Object" also the cpha tells me that this machine is not part of a cluster....even though the are configured in a cluster object on the mgt station.the primary server has no problems accepting any policy i push to it and it is running fine, only concern now is that i dont have a working failover if anything happens the master fw.Also when i do a retrive on the products list from the module it fails to retrieve anything from the box. NO logs are going to the mgt server either...The SIC is communicateing fine and is established with a trust. ANd this box was rebuild from scratch only last Friday...i really am at a loss here.....
LVL 23

Expert Comment

by:Tim Holman
ID: 11934212
Has cpha been enabled (via cpconfig in IPSO) on both Nokias ?
If you cannot locate 'my Network Object', then check these files on IPSO -


Also, verify the correct object definition on the mgt server.

Have you tried an fw sic_reset ?

Do you have valid licenses for everything ?  Have you removed any old, invalid eval licenses ?


Author Comment

ID: 11939754

Thanks for the comments, i have checked the relevant files and the do exist and contain the correct data, aslo cpha has been enabled on both Nokias, when cpha starts it says the cluster object "fwkdebug_register: module cluster already registered" then it returns a " fwha_kdebug_register: fwkdebug_register failed". I have also tried sic resets on numurous occasions, i can get the sic established and trusted no you think this is a hardware problem?..
LVL 23

Expert Comment

by:Tim Holman
ID: 11950158
From the FP3 release notes:

The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FireWall-1: fwkdebug_register: module cluster already registered
FireWall-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.

Are you sure there's nothing silly like a duplicate IP or MAC address ??

Author Comment

ID: 11951388

Checked everywhere for duplicate IP and MAC addresses, none that i could find.this is really a weird problem, logic says that it should be working fine......really hitting the wall with this one..I am going to try a different box tongiht to rule out hardware problems. If i still have an issue then i dont know what else to try......
LVL 23

Expert Comment

by:Tim Holman
ID: 11951493
Does the hostname resolve properly from the management server ?
You could try separating this out.  Give the problem firewall a different IP address, and install it as a primary firewall and check you can push a policy to it ?
If you're doing VRRP, make sure you've defined Proxy ARPs properly and are not gratuitously ARPing incorrect information.  Also, if attached to a STP switch, make sure the switch is not looping or forwarding packets out of the wrong ports.
Is your mgt server running FP3 ?  Do you have a separate mgt server running on Windows, and then the 2 Nokia boxes ?

Author Comment

ID: 11951646

Yes the management server is running on Windows and is running NG AI, as there are other firewalls in different location managed by this server. The licenses i have are for a cluster so i dont know if i can install this as a different primary firewall without impacting the other.the switch that the firewall is connected to is a cisco switch , i have checked the config and everything is ok. I will have a look at the arping and name resoultion and let u know hopw i get on, many thanks for all the help.
LVL 23

Accepted Solution

Tim Holman earned 500 total points
ID: 11952163
Does fw stat on the 2nd firewall actually list any installed policies ?
If default is there, try unloading it (fw unload default) before fetching a policy.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
List of Palo Alto firewall benefits and use cases needed 5 129
How to Access NetScaler admin URL from external source 8 1,542
TMG 2010 Deployment 3 104
suspending the anti virus 6 152
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question