Solved

Checkpoint Policy Fails to install

Posted on 2004-08-27
12
3,114 Views
Last Modified: 2013-11-16
I am an unusual problem, hopefully some one can help , here is the problem, i am running two Nokia 440 with ipso 3.6 and Checkpoint NG FP 3, these are deployed in a HA cluster, the master recievies the policy no problem an runs very well, the slave however has problems when u either push the policy, or do a fetch on the policy, the error i recieve when pushing is that there is not enough memory on the module (Both have 256 MB), when i do a fetch i get one of two errors, sic name does not match, management server refuses connection or failed to read database, probally module was never installed. The sic has been checked and reset on a few occasions to try and rectify this problem. On the console screen of the module the following error apear during a push
"FW-1 fwulr_patternfilter_load :failed to compile patterens to regular expression"
This box has been completely rebuilt from scratch as well with the same issues.
I know we are running an old IPSO version and old NG versions, but upgradeing is not an option untill the HA cluster is up and running.
Any help appreciated

tul0rjs
0
Comment
Question by:tul0rjs
12 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11913036
First of all this has nothing to do with the versions
I run NG fp3 and I just upgraded to the last ipso before that I was on 3.6 too without any problems.
Are you sure your hardware is ok ? Like a memory barret that is broken ?
I had it once and that was because my system name was not the same as in the policy this could lead to those problems. Also bind your hostname to the interface where you receive the policy.
0
 
LVL 18

Expert Comment

by:larstr
ID: 11922718
This error message usually comes when there are not enough memory available (if you have upgraded from 4.1 to fp3 and not put in additional memory). 256Mb is minimum and I can see you write that both boxes have 256Mb. As bloemkool1980 suggests I would check that the memory is ok on the box that fails to install.
0
 

Author Comment

by:tul0rjs
ID: 11926321
Ok, from voyager it is telling me that there is 256 MB ram installed and shows no errors, is there a way to test the memory to make sure it is ok.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 11931098
Memory is tested on bootup.  However, have you got the correct pairing and parity memory ?
A quickfire way of testing this is to swap all the memory from the working unit, to the slave.
I've not seen these errors before, but when you say HA cluster have you enabled clustering on the Nokia ?  Or are you going for a straightforward VRRP monitored circuits failover design ?
Has the FW object on the management station picked up the correct version of NG ?
It may help if you remove all references to the secondary firewall on the mgt server, push the policy, then create a new secondary firewall object.
0
 

Author Comment

by:tul0rjs
ID: 11931443
Tim,
I have tried swapping the memory from the current working box, witht he same results. I dont think its a hardware issue (although i may be wrong). The HA Cluster is the straight forward VRRP monitored circuits failover design. When i first set up these on the mgt server it picked up the correct version of NG, now i have even more problems, when i do a cpstop and start it now tells me that "i cannot located my Network Object" also the cpha tells me that this machine is not part of a cluster....even though the are configured in a cluster object on the mgt station.the primary server has no problems accepting any policy i push to it and it is running fine, only concern now is that i dont have a working failover if anything happens the master fw.Also when i do a retrive on the products list from the module it fails to retrieve anything from the box. NO logs are going to the mgt server either...The SIC is communicateing fine and is established with a trust. ANd this box was rebuild from scratch only last Friday...i really am at a loss here.....
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11934212
Has cpha been enabled (via cpconfig in IPSO) on both Nokias ?
If you cannot locate 'my Network Object', then check these files on IPSO -

/etc/nodename
/etc/hosts

Also, verify the correct object definition on the mgt server.

Have you tried an fw sic_reset ?

Do you have valid licenses for everything ?  Have you removed any old, invalid eval licenses ?

0
 

Author Comment

by:tul0rjs
ID: 11939754
Tim,

Thanks for the comments, i have checked the relevant files and the do exist and contain the correct data, aslo cpha has been enabled on both Nokias, when cpha starts it says the cluster object "fwkdebug_register: module cluster already registered" then it returns a " fwha_kdebug_register: fwkdebug_register failed". I have also tried sic resets on numurous occasions, i can get the sic established and trusted no problem......do you think this is a hardware problem?..
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11950158
From the FP3 release notes:

http://www.allasso.fr/base/docs/11033396526.pdf

The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FireWall-1: fwkdebug_register: module cluster already registered
FireWall-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.

Are you sure there's nothing silly like a duplicate IP or MAC address ??
0
 

Author Comment

by:tul0rjs
ID: 11951388
Tim,

Checked everywhere for duplicate IP and MAC addresses, none that i could find.this is really a weird problem, logic says that it should be working fine......really hitting the wall with this one..I am going to try a different box tongiht to rule out hardware problems. If i still have an issue then i dont know what else to try......
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11951493
Does the hostname resolve properly from the management server ?
You could try separating this out.  Give the problem firewall a different IP address, and install it as a primary firewall and check you can push a policy to it ?
If you're doing VRRP, make sure you've defined Proxy ARPs properly and are not gratuitously ARPing incorrect information.  Also, if attached to a STP switch, make sure the switch is not looping or forwarding packets out of the wrong ports.
Is your mgt server running FP3 ?  Do you have a separate mgt server running on Windows, and then the 2 Nokia boxes ?
0
 

Author Comment

by:tul0rjs
ID: 11951646
Tim,

Yes the management server is running on Windows and is running NG AI, as there are other firewalls in different location managed by this server. The licenses i have are for a cluster so i dont know if i can install this as a different primary firewall without impacting the other.the switch that the firewall is connected to is a cisco switch , i have checked the config and everything is ok. I will have a look at the arping and name resoultion and let u know hopw i get on, many thanks for all the help.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 11952163
Does fw stat on the 2nd firewall actually list any installed policies ?
If default is there, try unloading it (fw unload default) before fetching a policy.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Security Geteway Sonicwall 7 116
This computer cannot connect to the remote computer 12 259
VMware vCloud Director - Automatic SNAT Creation 2 99
centos7 firewalld udp ports 33 78
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question