Load on Module failed - failed to load Security Policy
Checkpoint VPN-1 & Firewall-1 NGX (R65) Build 427
Hi,
Following a power failure my checkpoint firewall running on windows 2000 server SP4 is refusing to push a policy. The rulebase in Smartdashboard looks intact, but when I try to push the policy the push fails. The The 'Verify Policy' confirms all OK, but the push fails on the Advanced Security policy push.
'The Desktop Security policy pushes OK, but the push ends with errors;
SYMPTOM 1
Advanced Security - Installation failed. Reason: Load on Module failed - failed to load Security Policy
SYMPTOM 2
On opening SmartView Tracker I get an error
' Failed to read record no 1'
SYMPTOM 3
On opening SmartView Monitor it reports
SmartCenter - Error: SmartCenter CA is not running
Firewall - Error: The security policy is not installed on rar_fw1
VPN - Up but nothing running
SecureClient Policy Server - Error: Policy Server is down
SYMPTOM 4
cpstop and cpstart both report success when tried.
SYMPTOM 5
'fw stat' now shows no policy installed
SYMPTOM 6
'fw fetch rar_fw1' now shows
'Users Database is lost: unable to reload
Failed to read database.
Probably module was never loaded'
SYMPTOM 7
I tried to 'Install Database' in the policy menu. It reported success but still unable to push policy correctly.
SYMPTOM 8
I tried to perform an upgrade_export to get a current copy of the firewall using the following command;
upgrade_export CPFW_NGXR65_11JAN08
But I got,
Checking the existence of necessary files...
Copying files to temp dir...
Error: Failed to copy files to temporary directory
SYMPTOM 9
A complete reboot has no effect.
Any help would be most appreciated as I have about 30 people looking at walls at the moment.
Thanks
Hi,
Following a power failure my checkpoint firewall running on windows 2000 server SP4 is refusing to push a policy. The rulebase in Smartdashboard looks intact, but when I try to push the policy the push fails. The The 'Verify Policy' confirms all OK, but the push fails on the Advanced Security policy push.
'The Desktop Security policy pushes OK, but the push ends with errors;
SYMPTOM 1
Advanced Security - Installation failed. Reason: Load on Module failed - failed to load Security Policy
SYMPTOM 2
On opening SmartView Tracker I get an error
' Failed to read record no 1'
SYMPTOM 3
On opening SmartView Monitor it reports
SmartCenter - Error: SmartCenter CA is not running
Firewall - Error: The security policy is not installed on rar_fw1
VPN - Up but nothing running
SecureClient Policy Server - Error: Policy Server is down
SYMPTOM 4
cpstop and cpstart both report success when tried.
SYMPTOM 5
'fw stat' now shows no policy installed
SYMPTOM 6
'fw fetch rar_fw1' now shows
'Users Database is lost: unable to reload
Failed to read database.
Probably module was never loaded'
SYMPTOM 7
I tried to 'Install Database' in the policy menu. It reported success but still unable to push policy correctly.
SYMPTOM 8
I tried to perform an upgrade_export to get a current copy of the firewall using the following command;
upgrade_export CPFW_NGXR65_11JAN08
But I got,
Checking the existence of necessary files...
Copying files to temp dir...
Error: Failed to copy files to temporary directory
SYMPTOM 9
A complete reboot has no effect.
Any help would be most appreciated as I have about 30 people looking at walls at the moment.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi grimkin,
I'm currently building a separate box to attempt a restore using an upgrade_export from june.
So far I configured the Dell Poweredge 2400 with RAID 1. I've installed Windows 2000 Server SP4 and just completed all windows updates (0 outstanding). Just after that I installed Dell OpenManage and was just now considering starting the Checkpoint Install.
However, I'm apprehensive about the install process. I have an upgrade_export dump but have never tried an install before.
I'm currently building a separate box to attempt a restore using an upgrade_export from june.
So far I configured the Dell Poweredge 2400 with RAID 1. I've installed Windows 2000 Server SP4 and just completed all windows updates (0 outstanding). Just after that I installed Dell OpenManage and was just now considering starting the Checkpoint Install.
However, I'm apprehensive about the install process. I have an upgrade_export dump but have never tried an install before.
ASKER
Additional info;
Just in the process of checkpoint install.
Just finished install.
Tried to open Smartview Tracker, cannot connect (tried both internal and external addresses) error as follows;
'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI Client'
Then tried to start Checkpoint Configuration and getting error as follows;
cpconfig.exe - Entry Point Not Found
'The procedure entry point ??_U@YAPAXI@Z could not be located in the dynamic link library MSVCRT.dll'
HELP!
PS. I've added the external IP to the hosts file as was the case on the previous computer.
Cheers
Just in the process of checkpoint install.
Just finished install.
Tried to open Smartview Tracker, cannot connect (tried both internal and external addresses) error as follows;
'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI Client'
Then tried to start Checkpoint Configuration and getting error as follows;
cpconfig.exe - Entry Point Not Found
'The procedure entry point ??_U@YAPAXI@Z could not be located in the dynamic link library MSVCRT.dll'
HELP!
PS. I've added the external IP to the hosts file as was the case on the previous computer.
Cheers
ASKER
Update;
Working on updating MSVCRT.DLL currently version 6.0.8337.0, found 6.1.9844.0 in dllcache so going to try and copy newer version in.
Working on updating MSVCRT.DLL currently version 6.0.8337.0, found 6.1.9844.0 in dllcache so going to try and copy newer version in.
ASKER
update;
OK, started 2000 recovery console and copied new msvcrt.dll into c:\winnt\system32. Now the computer is booting without the above errors.
I can now get into the checkpoint configuration tool but I'm unable to open SmartDashboard.
Error as follows;
'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI client'
By the way, the firewall is completely contained on one computer i.e. Enforcement module' and GUI.
also;
entries in Checkpoint Configuration Tool tabs appear the same as the original firewall.
CA is Initialized,
Fingerprint is identical
Any ideas
OK, started 2000 recovery console and copied new msvcrt.dll into c:\winnt\system32. Now the computer is booting without the above errors.
I can now get into the checkpoint configuration tool but I'm unable to open SmartDashboard.
Error as follows;
'Connection cannot be initiated.
Please make sure that the Server '192.168.0.4' is up and running and that you are defined as a GUI client'
By the way, the firewall is completely contained on one computer i.e. Enforcement module' and GUI.
also;
entries in Checkpoint Configuration Tool tabs appear the same as the original firewall.
CA is Initialized,
Fingerprint is identical
Any ideas
ASKER
update;
according to the manual, if the enforcement module and console reside on the same computer, you don't have to define a permitted remote host in the check point configuration tool, or something to that effect.
I'm still having the same initiation problem as above.
I've checked whats listening on the computer and see using netstat -a that there is no port 18190 listening. There is listening on 18191, 18192, 18196 but not 18190 as the checkpoint usercenter document states.
I tried fwm unload local, but i get the following error;
'The requested command can not be run because this station is not configured. Aborting.'
I tried adding the external, internal and loopback addresses to the permitted remote hosts list but to no effect. I've also tried connecting smartdashboard to these addresses.
still stuck
according to the manual, if the enforcement module and console reside on the same computer, you don't have to define a permitted remote host in the check point configuration tool, or something to that effect.
I'm still having the same initiation problem as above.
I've checked whats listening on the computer and see using netstat -a that there is no port 18190 listening. There is listening on 18191, 18192, 18196 but not 18190 as the checkpoint usercenter document states.
I tried fwm unload local, but i get the following error;
'The requested command can not be run because this station is not configured. Aborting.'
I tried adding the external, internal and loopback addresses to the permitted remote hosts list but to no effect. I've also tried connecting smartdashboard to these addresses.
still stuck
Hi Des,
Which version of CP were you running when you took the upgrade_export? Was it R65? If not then you may need to build a box running the older version and import it into that; you could then re-export it so that it would be compatible with R65.
Which version of CP were you running when you took the upgrade_export? Was it R65? If not then you may need to build a box running the older version and import it into that; you could then re-export it so that it would be compatible with R65.
ASKER
Grimkin,
thanks again for your help.
The CP versions are the same, NGX R65.
I noticed earlier that the Check Point Firewall-1 service was set to manual startup so I've now set it to automatic, but still no joy.
fw stat currently shows;
localhost InitialPolicy 12Jan2008 19:01:49 : [EL98x2]
Still stuck with initiation problem
cheers
thanks again for your help.
The CP versions are the same, NGX R65.
I noticed earlier that the Check Point Firewall-1 service was set to manual startup so I've now set it to automatic, but still no joy.
fw stat currently shows;
localhost InitialPolicy 12Jan2008 19:01:49 : [EL98x2]
Still stuck with initiation problem
cheers
ASKER
Grimkin,
In relation to the original problem, corrupted database, I've decided (pushed by pressure to get back on the net), to go for your idea of a restored update_export from june 07. I'll have to play catch up on the rulebase, but email is critical to the client. Thankfully, my backup MX has been shouldering the burden since friday.
In relation to the unexplained inability to connect to the console on the second firewall after a new install, that can be explained by the MSVCRT.DLL problem. It appears that after rebooting the second firewall after the 'install using saved configuration', the DLL error just happened to appear, probably caused by some of the RAID or management related software I had installed prior to check point. However, timing was everything, because when the initial Checkpoint configuration screen tried to display on reboot the DLL was wrong. Therefore because I was unaware of the fact that this configuration program was due to appear, I didn't necessarily associate the fact that it was the check point configuration that was triggering the DLL error, while not in fact being responsible for it. So once the DLL issue had been dealt with (as above), I was able to uninstall and reinstall check point and go through the initial configuration dialog which subsequently allow me into Dashboard.
So basically I then took a risk and uninstalled the CP software from the original box and reinstalled. The firewall is up and mail is flowing.
I have learned a thing or two about the install (albeit with saved configuration) and I am not quite so intimidated. The whole licensing area frightened me, but the 'saved configuration' saved me this pain. We have also now decided that the second box will be used as a 'cold' standby, which leads me to another question.
If you get a moment I would very much appreciate your opinion over at
https://www.experts-exchange.com/questions/23079090/CP-NGX-R65-Get-topology-not-working-in-firewall-properties.html
Cheers and thanks again for your help.
.
In relation to the original problem, corrupted database, I've decided (pushed by pressure to get back on the net), to go for your idea of a restored update_export from june 07. I'll have to play catch up on the rulebase, but email is critical to the client. Thankfully, my backup MX has been shouldering the burden since friday.
In relation to the unexplained inability to connect to the console on the second firewall after a new install, that can be explained by the MSVCRT.DLL problem. It appears that after rebooting the second firewall after the 'install using saved configuration', the DLL error just happened to appear, probably caused by some of the RAID or management related software I had installed prior to check point. However, timing was everything, because when the initial Checkpoint configuration screen tried to display on reboot the DLL was wrong. Therefore because I was unaware of the fact that this configuration program was due to appear, I didn't necessarily associate the fact that it was the check point configuration that was triggering the DLL error, while not in fact being responsible for it. So once the DLL issue had been dealt with (as above), I was able to uninstall and reinstall check point and go through the initial configuration dialog which subsequently allow me into Dashboard.
So basically I then took a risk and uninstalled the CP software from the original box and reinstalled. The firewall is up and mail is flowing.
I have learned a thing or two about the install (albeit with saved configuration) and I am not quite so intimidated. The whole licensing area frightened me, but the 'saved configuration' saved me this pain. We have also now decided that the second box will be used as a 'cold' standby, which leads me to another question.
If you get a moment I would very much appreciate your opinion over at
https://www.experts-exchange.com/questions/23079090/CP-NGX-R65-Get-topology-not-working-in-firewall-properties.html
Cheers and thanks again for your help.
.
Hi Des,
Glad you got it sorted. If you get the chance, give Secure Platform a looking at - it's a Linux distro by Checkpoint, very stable and very quick to get up and running or repair. I'll take a look at your other Q now,
Cheers
Ben
Glad you got it sorted. If you get the chance, give Secure Platform a looking at - it's a Linux distro by Checkpoint, very stable and very quick to get up and running or repair. I'll take a look at your other Q now,
Cheers
Ben
ASKER
I tried to rename $FWDIR\conf\InternalCA_bak
Also I tried an update_export using the -d option and got the following amongst the output
Copying files to temp dir...
[ 868 1856]@[11 Jan 19:43:20] CopyDirToTempDir: Warning >> C:\WINNT\FW1\R65\fw1\conf points to C:\WINNT\FW1\R65\fw1\conf\
A candidate for 'Understatement of the year' I think, 'It might be a problem' indeed!
Still no further but will continue trying things,