tul0rjs
asked on
Checkpoint Policy Fails to install
I am an unusual problem, hopefully some one can help , here is the problem, i am running two Nokia 440 with ipso 3.6 and Checkpoint NG FP 3, these are deployed in a HA cluster, the master recievies the policy no problem an runs very well, the slave however has problems when u either push the policy, or do a fetch on the policy, the error i recieve when pushing is that there is not enough memory on the module (Both have 256 MB), when i do a fetch i get one of two errors, sic name does not match, management server refuses connection or failed to read database, probally module was never installed. The sic has been checked and reset on a few occasions to try and rectify this problem. On the console screen of the module the following error apear during a push
"FW-1 fwulr_patternfilter_load :failed to compile patterens to regular expression"
This box has been completely rebuilt from scratch as well with the same issues.
I know we are running an old IPSO version and old NG versions, but upgradeing is not an option untill the HA cluster is up and running.
Any help appreciated
tul0rjs
"FW-1 fwulr_patternfilter_load :failed to compile patterens to regular expression"
This box has been completely rebuilt from scratch as well with the same issues.
I know we are running an old IPSO version and old NG versions, but upgradeing is not an option untill the HA cluster is up and running.
Any help appreciated
tul0rjs
This error message usually comes when there are not enough memory available (if you have upgraded from 4.1 to fp3 and not put in additional memory). 256Mb is minimum and I can see you write that both boxes have 256Mb. As bloemkool1980 suggests I would check that the memory is ok on the box that fails to install.
ASKER
Ok, from voyager it is telling me that there is 256 MB ram installed and shows no errors, is there a way to test the memory to make sure it is ok.
Memory is tested on bootup. However, have you got the correct pairing and parity memory ?
A quickfire way of testing this is to swap all the memory from the working unit, to the slave.
I've not seen these errors before, but when you say HA cluster have you enabled clustering on the Nokia ? Or are you going for a straightforward VRRP monitored circuits failover design ?
Has the FW object on the management station picked up the correct version of NG ?
It may help if you remove all references to the secondary firewall on the mgt server, push the policy, then create a new secondary firewall object.
A quickfire way of testing this is to swap all the memory from the working unit, to the slave.
I've not seen these errors before, but when you say HA cluster have you enabled clustering on the Nokia ? Or are you going for a straightforward VRRP monitored circuits failover design ?
Has the FW object on the management station picked up the correct version of NG ?
It may help if you remove all references to the secondary firewall on the mgt server, push the policy, then create a new secondary firewall object.
ASKER
Tim,
I have tried swapping the memory from the current working box, witht he same results. I dont think its a hardware issue (although i may be wrong). The HA Cluster is the straight forward VRRP monitored circuits failover design. When i first set up these on the mgt server it picked up the correct version of NG, now i have even more problems, when i do a cpstop and start it now tells me that "i cannot located my Network Object" also the cpha tells me that this machine is not part of a cluster....even though the are configured in a cluster object on the mgt station.the primary server has no problems accepting any policy i push to it and it is running fine, only concern now is that i dont have a working failover if anything happens the master fw.Also when i do a retrive on the products list from the module it fails to retrieve anything from the box. NO logs are going to the mgt server either...The SIC is communicateing fine and is established with a trust. ANd this box was rebuild from scratch only last Friday...i really am at a loss here.....
I have tried swapping the memory from the current working box, witht he same results. I dont think its a hardware issue (although i may be wrong). The HA Cluster is the straight forward VRRP monitored circuits failover design. When i first set up these on the mgt server it picked up the correct version of NG, now i have even more problems, when i do a cpstop and start it now tells me that "i cannot located my Network Object" also the cpha tells me that this machine is not part of a cluster....even though the are configured in a cluster object on the mgt station.the primary server has no problems accepting any policy i push to it and it is running fine, only concern now is that i dont have a working failover if anything happens the master fw.Also when i do a retrive on the products list from the module it fails to retrieve anything from the box. NO logs are going to the mgt server either...The SIC is communicateing fine and is established with a trust. ANd this box was rebuild from scratch only last Friday...i really am at a loss here.....
Has cpha been enabled (via cpconfig in IPSO) on both Nokias ?
If you cannot locate 'my Network Object', then check these files on IPSO -
/etc/nodename
/etc/hosts
Also, verify the correct object definition on the mgt server.
Have you tried an fw sic_reset ?
Do you have valid licenses for everything ? Have you removed any old, invalid eval licenses ?
If you cannot locate 'my Network Object', then check these files on IPSO -
/etc/nodename
/etc/hosts
Also, verify the correct object definition on the mgt server.
Have you tried an fw sic_reset ?
Do you have valid licenses for everything ? Have you removed any old, invalid eval licenses ?
ASKER
Tim,
Thanks for the comments, i have checked the relevant files and the do exist and contain the correct data, aslo cpha has been enabled on both Nokias, when cpha starts it says the cluster object "fwkdebug_register: module cluster already registered" then it returns a " fwha_kdebug_register: fwkdebug_register failed". I have also tried sic resets on numurous occasions, i can get the sic established and trusted no problem......do you think this is a hardware problem?..
Thanks for the comments, i have checked the relevant files and the do exist and contain the correct data, aslo cpha has been enabled on both Nokias, when cpha starts it says the cluster object "fwkdebug_register: module cluster already registered" then it returns a " fwha_kdebug_register: fwkdebug_register failed". I have also tried sic resets on numurous occasions, i can get the sic established and trusted no problem......do you think this is a hardware problem?..
From the FP3 release notes:
http://www.allasso.fr/base/docs/11033396526.pdf
The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FireWall-1: fwkdebug_register: module cluster already registered
FireWall-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.
Are you sure there's nothing silly like a duplicate IP or MAC address ??
http://www.allasso.fr/base/docs/11033396526.pdf
The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FireWall-1: fwkdebug_register: module cluster already registered
FireWall-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.
Are you sure there's nothing silly like a duplicate IP or MAC address ??
ASKER
Tim,
Checked everywhere for duplicate IP and MAC addresses, none that i could find.this is really a weird problem, logic says that it should be working fine......really hitting the wall with this one..I am going to try a different box tongiht to rule out hardware problems. If i still have an issue then i dont know what else to try......
Checked everywhere for duplicate IP and MAC addresses, none that i could find.this is really a weird problem, logic says that it should be working fine......really hitting the wall with this one..I am going to try a different box tongiht to rule out hardware problems. If i still have an issue then i dont know what else to try......
Does the hostname resolve properly from the management server ?
You could try separating this out. Give the problem firewall a different IP address, and install it as a primary firewall and check you can push a policy to it ?
If you're doing VRRP, make sure you've defined Proxy ARPs properly and are not gratuitously ARPing incorrect information. Also, if attached to a STP switch, make sure the switch is not looping or forwarding packets out of the wrong ports.
Is your mgt server running FP3 ? Do you have a separate mgt server running on Windows, and then the 2 Nokia boxes ?
You could try separating this out. Give the problem firewall a different IP address, and install it as a primary firewall and check you can push a policy to it ?
If you're doing VRRP, make sure you've defined Proxy ARPs properly and are not gratuitously ARPing incorrect information. Also, if attached to a STP switch, make sure the switch is not looping or forwarding packets out of the wrong ports.
Is your mgt server running FP3 ? Do you have a separate mgt server running on Windows, and then the 2 Nokia boxes ?
ASKER
Tim,
Yes the management server is running on Windows and is running NG AI, as there are other firewalls in different location managed by this server. The licenses i have are for a cluster so i dont know if i can install this as a different primary firewall without impacting the other.the switch that the firewall is connected to is a cisco switch , i have checked the config and everything is ok. I will have a look at the arping and name resoultion and let u know hopw i get on, many thanks for all the help.
Yes the management server is running on Windows and is running NG AI, as there are other firewalls in different location managed by this server. The licenses i have are for a cluster so i dont know if i can install this as a different primary firewall without impacting the other.the switch that the firewall is connected to is a cisco switch , i have checked the config and everything is ok. I will have a look at the arping and name resoultion and let u know hopw i get on, many thanks for all the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I run NG fp3 and I just upgraded to the last ipso before that I was on 3.6 too without any problems.
Are you sure your hardware is ok ? Like a memory barret that is broken ?
I had it once and that was because my system name was not the same as in the policy this could lead to those problems. Also bind your hostname to the interface where you receive the policy.