topic Re: Lost access to gaia portal in Firewall and Security Management

Lost access to gaia portal

Ryan_Ryan — Thu, 24 May 2018 04:55:23 GMT

Hi guys, running R77.30, not long ago we lost the ability to web to our gateway and manager, it used to work (self signed cert) but now the browser throws an error such as: "Can’t connect securely to this page" with no option to continue anyway.

Have tried 3 different browsers, and enabled all tls versions and even sslv3 but nothing helps.

Wireshark capture shows a client hello requesting, tlsv1.2 then tls v1.0, sslv3.0 then it stops.

Anyone got any solution for this? I would be happy just running plain http but it seems not an option.

config:

set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web ssl3-enabled on
set web daemon-enable on

thanks!

Re: Lost access to gaia portal

PhoneBoy — Thu, 24 May 2018 20:41:35 GMT

What does a tcpdump say when you try to access the Gaia portal?

I'm guessing you pushed a policy that blocked access to the Gaia portal.

There must be an explicit rule allowing the communication as it is not covered thru implied rules.

Re: Lost access to gaia portal

Maarten_Sjouw — Thu, 24 May 2018 22:23:40 GMT

Have you tried running the web sslport on 4434 or any other port instead, I don't know if you added some additional blade like Mobile access or just VPN Client access?

In the dashboard go into the object of the gateway and change the gateway portal from the HTTPS://<IP> to HTTPS://<IP:4434 and push policy as this will always overwrite the local setting and will reset the web ssl-port setting you change on the command line.

It is always recommendable to change the port for the GAIA portal.

Re: Lost access to gaia portal

Ryan_Ryan — Thu, 24 May 2018 23:31:06 GMT

Hi thanks both for your replies.

I can telnet to the gateway on port 443 and its open, so access does not seem to be the issue, the issue seems more the gateway is not talking ssl/tls properly. I tried running on a different port and updating the gateway portal URL, but I get the same results, telnet works but web browsing fails.

chrome shows: ERR_CONNECTION_CLOSED

IE: Can’t connect securely to this page. This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I regenerated the ssl cert on the gateway aswell then restarted the daemon but still the same issue!

tcpdump just shows a normal tcp handshake

Re: Lost access to gaia portal

PhoneBoy — Fri, 25 May 2018 03:45:16 GMT

Curious if there's anything in /var/log/httpd2_error_log that might explain it.

You might also try the couple of Linux CLI commands and the Wireshark troubleshooting process listed here: Troubleshoot SSL/TLS handshake in Google Chrome browser - Stack Overflow

Re: Lost access to gaia portal

Ryan_Ryan — Fri, 25 May 2018 04:36:50 GMT

Yes there are some logs in there, nothing relative to each attempt, these logs date to the time I restarted the http2 service:

[notice] SIGHUP received. Attempting to restart
[warn] module setenvif_module is already loaded, skipping
[warn] module headers_module is already loaded, skipping
[error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[notice] CPWS configured -- resuming normal operations

curl is a good idea, although nothing too helpful came of it:

* schannel: failed to receive handshake, need more data

curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

Re: Lost access to gaia portal

PhoneBoy — Fri, 25 May 2018 14:40:02 GMT

I recommend opening a case with the TAC so this can be properly investigated.

Re: Lost access to gaia portal

Anas_Ahmad — Tue, 09 Apr 2019 13:35:42 GMT

Hello,

Did you get the solution for this because the same thing I am experiencing on R80.10 as well with latest take. New Deployment.

Tried to connect the laptop directly with MGMT port of firewall with is same network but no luck. How ever I am able to ping the firewall.

Checked the wireshark captures found client is sending hello but firewall is sending FIN.

Re: Lost access to gaia portal

piotto777 — Mon, 19 Aug 2019 14:22:19 GMT

Have you got a solution from TAC please?

We have same error message in /var/log/httpd2_error_log after R.77.30 node joined cluster.

tcpdump shows 3-WAY handshake OK and then nothing happened.

different browsers show blank screen, none of tcl scripts are not starting.

we have restarted httpd daemon - same issue.

/var/log/httpd2_error_log:

[Thu Aug 15 01:13:53 2019] [notice] caught SIGTERM, shutting down
[Thu Aug 15 01:14:40 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:41 2019] [warn] module setenvif_module is already loaded, skipping
[Thu Aug 15 01:14:41 2019] [warn] module headers_module is already loaded, skipping
httpd2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1 for ServerName
[Thu Aug 15 01:14:41 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:42 2019] [notice] CPWS configured -- resuming normal operations

Re: Lost access to gaia portal

PhoneBoy — Fri, 16 Aug 2019 20:14:53 GMT

It looks like whatever certificate configured for the Gaia portal is a CA certificate.
You should probably replace it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97648
Or: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108252