topic R80.40 Policy install timeout, but new policy is active in Firewall and Security Management

R80.40 Policy install timeout, but new policy is active

ClaudiaPeter — Mon, 09 Nov 2020 18:24:23 GMT

Hi,

we recently updated from R80.10 to R80.40, Management Server and a Gateway Cluster of 5800 appliances.

We defined a new rule for HTTPS Inspection with Updatable Objects. Since then Policy Install fails with timeout. Deleting the new rule doesn't "repair" it.

- "fw stat" shows the new policy, and changes in the policy are effective.

- I don't think the install_policy_timeout value is the problem, the Management Server waits for a long time for the commit after "fw stat" already shows the new policy timestamp.

- Management Server $FWDIR/log/install_policy.elg:
...
Compiled OK.&CURRENTVERCMP
**##MSG_IDENTIFY##**3&0&Compilation was successful&50&<NULL>&1&CURRENTVERCMP
Installing Security Gateway policy on: gw-cluster ...&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw1&<NULL>&1&CURRENTVERCMP
Operation incomplete due to timeout.&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&Operation incomplete due to timeout.&<NULL>&<NULL>&1&CURRENTVERCMP

So the problems seems to be on gateway side.

- Gateway /opt/CPsuite-R80.40/fw1/state/__tmp/FW1/install_policy_report.txt
...
17:43:15 4000051 InternalMsg UPInstallPolicyApp INFO up_install_policy_app.cpp 364 postLoadCommit ====== UP install policy App post-load commit end ======
17:43:15 4000052 InternalMsg Install Policy MGR INFO install_policy_mgr.cpp 1133 postLoadCommit Usermode postLoadCommit of InstallPolicyApp: (UP) with appType: (1), appPosition: (2) succeeded

So just the last line with "====== Usermode post-load commit end =====" is missing.

- According sk114733 "du -k $FWDIR/state/__tmp/FW1/" on both Gateways should be the same, but they differs. The file local.upDB.sqlite differs.
Regrettably the sk do not mention what to do if the size of the directory differs.

I cannot find any sk how to "reset" the directory $FWDIR/state/__tmp/FW1/. Can I just delete the files and get fresh copies from the management server with "fw fetch"?

(It's a production environment and I don't want to kill the Gateway with careless deleting files...)

Best regards
Claudia

Re: R80.40 Policy install timeout, but new policy is active

PhoneBoy — Mon, 09 Nov 2020 21:29:06 GMT

You can generally just delete the content of $FWDIR/state safely, though you can take a backup if you want to be on the safe side.

Re: R80.40 Policy install timeout, but new policy is active

_Val_ — Tue, 10 Nov 2020 07:37:12 GMT

I suggest investigating this with TAC.

Can you show how your "New HTTPS Inspection rule with Updatable Objects" looks, though?

Re: R80.40 Policy install timeout, but new policy is active

ClaudiaPeter — Tue, 10 Nov 2020 09:23:57 GMT

Actual the rule looks like:

Source: Any

Destination: Office365 Worldwide Services, Intune Services, Microsoft - recommended HTTPS bypass, Power B I Services, Webex Services

Services: https

Category/..: Any

Action: Bypass

Track: Log

Blade: All

Install On: one Gateway Cluster

Certificate: Outbound Certificate

Re: R80.40 Policy install timeout, but new policy is active

ClaudiaPeter — Tue, 10 Nov 2020 16:40:33 GMT

The solution was "standard": reboot.

It took only some longer discussions with the customer to be allowed to reboot the maschines....