Error 'GW can not access updates.checkpoint.com' (but it can)

EmilliXill — Thu, 18 May 2023 11:27:59 GMT

Hello!

I have an HA cluster in my lab (Gaia 80.40). Both nodes have access to the internet (ping 1.1.1.1 for example is successful).

But in Smart console I see an error on both nodes in the IPS and Anti-Bot&Anti-Virus sections (Gateways&Servers - Click on GW - Device&License information - Device status):

Error: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings

But curl_cli -v -k https://updates.checkpoint.com is successful on both nodes:

Trying 184.50.201.193...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (184.50.201.193) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Thu May 18 13:45:43 2023
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Thu May 18 13:45:43 2023
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Dec 21 12:11:27 2022 GMT
* expire date: Jan 22 12:11:26 2024 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: Apache-Coyote/1.1
< Content-Length: 10
< Date: Thu, 18 May 2023 10:45:41 GMT
< Connection: keep-alive
<
status=OK
* Connection #0 to host updates.checkpoint.com left intact

I know there are a lot of posts like mine, but usually there is no internet or service is really down. In my case GW has internet access and CP services are OK as far as I know.

Also I have tried to do this one: https://community.checkpoint.com/t5/General-Topics/Failure-to-fetch-updates-from-CheckPoint-servers/m-p/87250 But I don't seem to have such directories..I have only opt/CPshared//5.0/tmp...

Does anyone have any ideas how to fix this? 😞 Thank you!

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

PhoneBoy — Thu, 18 May 2023 16:58:59 GMT

I would ask the TAC to assist in troubleshooting here: https://help.checkpoint.com

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

the_rock — Thu, 18 May 2023 17:12:01 GMT

Can you ensure this is checked in global properties?

Andy

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

the_rock — Thu, 18 May 2023 17:15:54 GMT

You can also refer to below sk:

https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106251&srcFavorites=favorites

Andy

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

EmilliXill — Mon, 22 May 2023 09:58:03 GMT

Thanks everyone! The problem was solved itself, did nothing. Did not even reboot 😕

topic Error 'GW can not access updates.checkpoint.com' (but it can) in Firewall and Security Management

Error 'GW can not access updates.checkpoint.com' (but it can)

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

Re: Error 'GW can not access updates.checkpoint.com' (but it can)

Re: Error 'GW can not access updates.checkpoint.com' (but it can)