Security Gateway fails to connect Gaia Portal

veronikush29 — Wed, 07 Apr 2021 11:49:22 GMT

Hi everyone,

I have a pair of 5800 gateways running R80.10 - since the moment I started working on them I noticed I cannot access the Gaia Portal to complete their configuration via Smart Wizard.

I Have tried 3 different browsers (Chrome, FireFox, Explorer) but nothing works.

I tried to restart the httpd2 process, but unfortunately that didn't help as well.

Here is the httpd2 error log output.

the Gateway ip addr is 1.1.1.1/24

**here is the output of the httpd2 error logs:

[Wed Apr 07 11:17:46.148003 2021] [ssl:info] [pid 17114] [client 4.4.4.4:57663] AH01964: Connection to child 1 established (server 1.1.1.1:443)
[Wed Apr 07 11:17:46.148102 2021] [ssl:debug] [pid 17114] ssl_engine_kernel.c(1949): [client 4.4.4.4:57663] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Wed Apr 07 11:17:46.148269 2021] [ssl:info] [pid 17116] [client 4.4.4.4:57664] AH01964: Connection to child 3 established (server 1.1.1.1:443)
[Wed Apr 07 11:17:46.148341 2021] [ssl:debug] [pid 17116] ssl_engine_kernel.c(1949): [client 4.4.4.4:57664] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Wed Apr 07 11:17:48.164178 2021] [reqtimeout:info] [pid 17114] [client 4.4.4.4:57663] AH01382: Request header read timeout
[Wed Apr 07 11:17:48.164192 2021] [ssl:debug] [pid 17114] ssl_engine_io.c(1212): (70007)The timeout specified has expired: [client 4.4.4.4:57663] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Apr 07 11:17:48.164197 2021] [ssl:info] [pid 17114] [client 4.4.4.4:57663] AH01998: Connection closed to child 1 with abortive shutdown (server 1.1.1.1:443)
[Wed Apr 07 11:17:48.165199 2021] [reqtimeout:info] [pid 17116] [client 4.4.4.4:57664] AH01382: Request header read timeout
[Wed Apr 07 11:17:48.165217 2021] [ssl:debug] [pid 17116] ssl_engine_io.c(1212): (70007)The timeout specified has expired: [client 4.4.4.4:57664] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Apr 07 11:17:48.165222 2021] [ssl:info] [pid 17116] [client 4.4.4.4:57664] AH01998: Connection closed to child 3 with abortive shutdown (server 1.1.1.1:443)
[Wed Apr 07 11:29:58.955943 2021] [core:info] [pid 17109] AH00096: removed PID file /var/run/httpd2.pid (pid=17109)
[Wed Apr 07 11:29:58.955956 2021] [mpm_prefork:notice] [pid 17109] AH00169: caught SIGTERM, shutting down
[Wed Apr 07 11:30:02.488435 2021] [mime_magic:error] [pid 32593] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed Apr 07 11:30:03.001587 2021] [ssl:warn] [pid 32593] AH01906: 1.1.1.1:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 07 11:30:03.001600 2021] [ssl:warn] [pid 32593] AH01909: 1.1.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 07 11:30:03.009620 2021] [so:warn] [pid 32593] AH01574: module setenvif_module is already loaded, skipping
[Wed Apr 07 11:30:03.009629 2021] [so:warn] [pid 32593] AH01574: module headers_module is already loaded, skipping
[Wed Apr 07 11:30:03.011242 2021] [core:warn] [pid 32593] AH00117: Ignoring deprecated use of DefaultType in line 420 of /web/conf/httpd2.conf.
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 1.1.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 07 11:30:03.011398 2021] [mime_magic:error] [pid 32593] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed Apr 07 11:30:04.000646 2021] [ssl:warn] [pid 32593] AH01906: 1.1.1.1:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 07 11:30:04.000657 2021] [ssl:warn] [pid 32593] AH01909: 1.1.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 07 11:30:04.002698 2021] [mpm_prefork:notice] [pid 32593] AH00163: CPWS/2.4.16 (Unix) OpenSSL/1.0.1p configured -- resuming normal operations
[Wed Apr 07 11:30:04.002714 2021] [core:notice] [pid 32593] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'

**the output of tcpdump -ni Mgmt port 443 -

[Expert@FwVero:0]# tcpdump -ni Mgmt port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes
12:09:18.365857 IP 4.4.4.4.58667 > 1.1.1.1.https: S 292501612:292501612(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:18.368609 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1321397747 win 16625
12:09:18.369687 IP 4.4.4.4.58667 > 1.1.1.1.https: P 0:137(137) ack 1 win 16625
12:09:18.373318 IP 4.4.4.4.58667 > 1.1.1.1.https: P 137:495(358) ack 1242 win 16314
12:09:18.583904 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1333 win 16625
12:09:18.584642 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1333 win 16625 <nop,nop,sack 1 {1242:1333}>
12:09:20.421895 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1403 win 16607
12:09:23.611619 IP 4.4.4.4.58667 > 1.1.1.1.https: R 495:495(0) ack 1403 win 0
12:09:27.617689 IP 4.4.4.4.58671 > 1.1.1.1.https: S 3703035644:3703035644(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:27.620461 IP 4.4.4.4.58671 > 1.1.1.1.https: . ack 1152516678 win 16625
12:09:27.620625 IP 4.4.4.4.58671 > 1.1.1.1.https: P 0:169(169) ack 1 win 16625
12:09:27.623757 IP 4.4.4.4.58671 > 1.1.1.1.https: P 169:260(91) ack 171 win 16582
12:09:27.626365 IP 4.4.4.4.58671 > 1.1.1.1.https: F 260:260(0) ack 171 win 16582
12:09:27.626609 IP 4.4.4.4.58672 > 1.1.1.1.https: S 1569341768:1569341768(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:27.629144 IP 4.4.4.4.58671 > 1.1.1.1.https: R 261:261(0) ack 240 win 0
12:09:27.629193 IP 4.4.4.4.58671 > 1.1.1.1.https: R 3703035906:3703035906(0) win 0
12:09:27.629356 IP 4.4.4.4.58672 > 1.1.1.1.https: . ack 3879169805 win 16625
12:09:27.629469 IP 4.4.4.4.58672 > 1.1.1.1.https: P 0:169(169) ack 1 win 16625
12:09:27.632546 IP 4.4.4.4.58672 > 1.1.1.1.https: P 169:260(91) ack 171 win 16582
12:09:27.635287 IP 4.4.4.4.58672 > 1.1.1.1.https: P 260:729(469) ack 171 win 16582
12:09:27.657449 IP 4.4.4.4.58672 > 1.1.1.1.https: . ack 171 win 16582
12:11:08.263681 IP 2.2.2.2.56342 > 1.1.1.1.https: S 2238622963:2238622963(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:08.267368 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1094179899 win 1024
12:11:08.267725 IP 2.2.2.2.56342 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:08.277309 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:10.288314 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:17.338249 IP 2.2.2.2.56343 > 1.1.1.1.https: S 742014096:742014096(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:17.341970 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 676845258 win 1024
12:11:17.342370 IP 2.2.2.2.56343 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:17.351341 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:19.363603 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:28.713434 IP 2.2.2.2.56346 > 1.1.1.1.https: S 3725733948:3725733948(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:28.716443 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 2315813135 win 1024
12:11:28.719327 IP 2.2.2.2.56346 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:28.728326 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:30.740611 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>

36 packets captured
72 packets received by filter
0 packets dropped by kernel

I would appreciate any help.

Thank you!

Re: Security Gateway fails to connect Gaia Portal

the_rock — Wed, 07 Apr 2021 16:59:15 GMT

Easy trick to fix this...windows + R -> iexplore -> once you open old explorer, go to tools -> internet options -> check all ssl tls options at the bottom -> hit ok -> try again. Im 99% sure it will work.

Re: Security Gateway fails to connect Gaia Portal

veronikush29 — Sun, 11 Apr 2021 06:23:32 GMT

Hi! Thank you for your reply, unfortunately it didn’t help 😕
All the SSL TLS options are enabled, but the page is stuck in this

Re: Security Gateway fails to connect Gaia Portal

PhoneBoy — Mon, 12 Apr 2021 05:10:09 GMT

Did you click the "continue to this website (not recommended)" link?
And is this R80.10 with no JHF installed?
Maybe the issue is: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121373

Of course, R80.10 is almost End of Support.
You should be using a later release.

Re: Security Gateway fails to connect Gaia Portal

Shira — Fri, 05 Aug 2022 07:46:42 GMT

Hi,

What was the solution?

WR,

Shira

Re: Security Gateway fails to connect Gaia Portal

veronikush29 — Fri, 05 Aug 2022 12:46:51 GMT

Hi 🙂 it was a long time ago - but if I remember correctly it was an MTU problem somewhere in my network that caused this. After we changed the MTU to match everywhere it worked.

topic Re: Security Gateway fails to connect Gaia Portal in Firewall and Security Management

Security Gateway fails to connect Gaia Portal

Re: Security Gateway fails to connect Gaia Portal

Re: Security Gateway fails to connect Gaia Portal

Re: Security Gateway fails to connect Gaia Portal

Re: Security Gateway fails to connect Gaia Portal

Re: Security Gateway fails to connect Gaia Portal