topic Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed" in General Topics

gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Mon, 06 May 2024 14:13:20 GMT

Hello,

after update to 81.20 Gaia Webui was accessible, all of a sudden and after a couple of days it is not accessible anymore.

> show web ssl-port
web-ssl-port 443

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 14:38:05 GMT

2 suggestions...try setting "though all interfaces", install policy

If that fails, try change port and make sure its allowed, as per below

Best,

Andy

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Mon, 06 May 2024 14:48:02 GMT

I already tried that, although i have a cluster over the appliances. but still did not work.
I think it might be something with Cert. but don't know how to really check it out .

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 14:49:42 GMT

Did you try another port?

Andy

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Mon, 06 May 2024 14:55:57 GMT

yes that was the first suggestion in the first comment

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 15:00:06 GMT

So is port 443 now or custom? Can you send following -> clish -c "show web ssl-port"

Andy

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Mon, 06 May 2024 15:15:19 GMT

it was 443 and change it to 4434 and nothing change

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 15:27:34 GMT

K, so just to make sure I get the whole "picture" here...so nothing changed except fw was upgraded to R81.20? And then web UI worked for 2 days and all of a sudden it stopped?

Andy

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

PhoneBoy — Mon, 06 May 2024 17:37:07 GMT

Access the device via console, type "fw unloadlocal" and try again.
If this works, check the output of "cplic print" to see if you have a valid license.
If not, you'll need to generate a new evaluation license: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security-Gateways-and/td-p/40391

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 19:21:18 GMT

Its just a bit odd it worked for 2 days after the upgrade...I believe even with initial policy, web UI will work if its on port 443.

Andy

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

PhoneBoy — Mon, 06 May 2024 19:47:09 GMT

Right, but unloading the policy makes sure it's not the issue.

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

the_rock — Mon, 06 May 2024 19:48:08 GMT

Thats true, worth a try.

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Tue, 07 May 2024 04:42:30 GMT

I already have a lice. why this should be an issue? The FWs and cluster working fine but I cannot access the ui.

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Tue, 07 May 2024 04:45:45 GMT

I tried to unloadlocal policy and install policy again. did not work! Although as i mentioned the firewalls working fine

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

emmap — Tue, 07 May 2024 05:11:43 GMT

You have the accessibility set to 'According to policy' - what rule are your inbound connections matching on? Is there anything useful in the FW logs?

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Tue, 07 May 2024 06:45:40 GMT

it is going through the management interface according to the FW logs. And it is all Green. The Rule is there and working fine.
also in the
httpd2_error _log

Tue May 07 08:43:19.048654 2024] [mpm_prefork:notice] [pid 5804] AH00169: caught SIGTERM, shutting down
[Tue May 07 08:43:25.457517 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue May 07 08:43:25.481826 2024] [so:warn] [pid 2504] AH01574: module setenvif_module is already loaded, skipping
[Tue May 07 08:43:25.481847 2024] [so:warn] [pid 2504] AH01574: module headers_module is already loaded, skipping
[Tue May 07 08:43:25.484948 2024] [core:warn] [pid 2504] AH00117: Ignoring deprecated use of DefaultType in line 421 of /web/conf/httpd2.conf.
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 10.255.0.18. Set the 'ServerName' directive globally to suppress this message
[Tue May 07 08:43:25.485315 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue May 07 08:43:25.488953 2024] [mpm_prefork:notice] [pid 2504] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1w configured -- resuming normal operations
[Tue May 07 08:43:25.488989 2024] [core:notice] [pid 2504] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'
[Tue May 07 08:43:26.489827 2024] [:error] [pid 2507] [client 127.0.0.1:54482] libwrap/mod_hosts_access: connection refused from 127.0.0.1 to httpd@127.0.0.1

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

emmap — Tue, 07 May 2024 07:00:28 GMT

Maybe check through this SK and see if anything helps - https://support.checkpoint.com/results/sk/sk91380

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Tue, 07 May 2024 07:05:09 GMT

thnx but this is the first link that comes up when you google anything related to Gaia problem, so I went through it and thats why i posted the logs in my last answer

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

ShadowNif — Tue, 07 May 2024 07:49:37 GMT

For some odd reason, after restart the FW it did not work.
So i tried AGAIN to change the port, and all of a sudden it works again. That was weird, and I could not really figure it out.
Now it works with a new port, but the question of why it stops to work on the default one.

Re: gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

emmap — Tue, 07 May 2024 07:49:36 GMT

We have this article with a similar issue, suggests it's a cert problem. https://support.checkpoint.com/results/sk/sk115732