Solved: Re: mgmt_cli vsx_provisioning_tool failing

AaronCP · ‎2026-01-19

Hey CheckMates,

I've got a lab environment set up and I'd like to test the mgmt_cli vsx_provisioning_tool api capability. I'm running the command (with a couple of parameters set) locally from the mgmt server cli, however the command fails to complete and generates an error. I can't see any issues with the syntax and the job fails to complete.

Syntax: mgmt_cli -r true -d x.x.x.x vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" --format json

The job appears to execute, but then very quickly fails with the following error:

---------------------------------------------
Time: [16:19:20] 19/1/2026
---------------------------------------------
"VSX add vd operation" in progress (21%)

---------------------------------------------
Time: [16:19:30] 19/1/2026
---------------------------------------------
"VSX add vd operation" failed (100%)
{
"tasks" : [ {
"task-id" : "01234567-8xxxxxxxxxxxxx",
"task-name" : "VSX add vd operation",
"status" : "failed",
"progress-percentage" : 100,
"suppressed" : false,
"task-details" : [ {
"fault-message" : "Action Failed due to an Internal Error"
} ]
} ]
}
Executed command failed. Changes are discarded.

I've checked the api.elg & fwm.elg files, but can't see anything obvious.

If I run a basic API show command (mgmt_cli -r true -d x.x.x.x show-gateways-and-servers -f json), it successfully returns the details stored within the target domain. I'm not able to locate anything on the Check Point Support Center.

I've rebooted the MDM and VSX Gateway, validated the target VSX Gateway has sufficient licensing, but it hasn't helped the situation.

Has anyone else experienced this issue?

Mgmt - R82 T44

VSX Gateway - R82 T44

Don_Paterson · ‎2026-01-19

Looks like you are following the API reference docs example. 👍

Does this work (using your domain DMS IP and other details)?

mgmt_cli login user fwadmin password vpn123 domain "TargetDomain" > sid.txt 

mgmt_cli vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli publish –s sid.txt

mgmt_cli logout –s sid.txt

For future reference. This is a good way to store and use the SID.

SID=$(mgmt_cli login user "fwadmin" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" vsx-provisioning-tool ...

Example:

SID=$(mgmt_cli login user "fwadmin" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli publish –s sid.txt

mgmt_cli logout –s sid.txt

EDIT:

Using -r true can be useful sometimes but maybe not for VSX tasks and other big jobs.

Better to try to stick to best practices and work in proper authenticated sessions.

API reference docs example:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/vsx-provisioning-tool~v2%20

vsx-provisioning-tool add-vd

Add a new Virtual System to an existing VSX cluster

Command

mgmt_cli vsx-provisioning-tool operation "add-vd" add-vd-params.vd "NEW_VD" add-vd-params.vsx-name "VSX_CLUSTER" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.1.1" add-vd-params.interfaces.1.name "eth1" add-vd-params.interfaces.1.ipv4-address "192.168.1.1/24"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

View solution in original post

AaronCP · ‎2026-01-19

Hey @Don_Paterson.

Thanks for the info! I had to tweak the syntax ever so slightly, but you've put me on the right track and I can now create VS's via the API - so thank you! 😊

FYI - this was the tweak I made:

SID=$(mgmt_cli login user "fwadmin" -d "$DOMAIN" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" - "$DOMAIN" vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli logout --session-id "$SID"

View solution in original post

Don_Paterson · ‎2026-01-19

Looks like you are following the API reference docs example. 👍

Does this work (using your domain DMS IP and other details)?

mgmt_cli login user fwadmin password vpn123 domain "TargetDomain" > sid.txt 

mgmt_cli vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli publish –s sid.txt

mgmt_cli logout –s sid.txt

For future reference. This is a good way to store and use the SID.

SID=$(mgmt_cli login user "fwadmin" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" vsx-provisioning-tool ...

Example:

SID=$(mgmt_cli login user "fwadmin" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli publish –s sid.txt

mgmt_cli logout –s sid.txt

EDIT:

Using -r true can be useful sometimes but maybe not for VSX tasks and other big jobs.

Better to try to stick to best practices and work in proper authenticated sessions.

API reference docs example:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/vsx-provisioning-tool~v2%20

vsx-provisioning-tool add-vd

Add a new Virtual System to an existing VSX cluster

Command

mgmt_cli vsx-provisioning-tool operation "add-vd" add-vd-params.vd "NEW_VD" add-vd-params.vsx-name "VSX_CLUSTER" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.1.1" add-vd-params.interfaces.1.name "eth1" add-vd-params.interfaces.1.ipv4-address "192.168.1.1/24"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

AaronCP · ‎2026-01-19

Hey @Don_Paterson.

Thanks for the info! I had to tweak the syntax ever so slightly, but you've put me on the right track and I can now create VS's via the API - so thank you! 😊

FYI - this was the tweak I made:

SID=$(mgmt_cli login user "fwadmin" -d "$DOMAIN" --format json | jq -r '.sid')

mgmt_cli --session-id "$SID" - "$DOMAIN" vsx-provisioning-tool operation "add-vd" add-vd-params.vd "VFW1" add-vd-params.vsx-name "VSX-GATEWAY" add-vd-params.type "vs" add-vd-params.ipv4-instances "2" add-vd-params.ipv4-address "192.168.103.1" add-vd-params.interfaces.1.name "bond1.103" add-vd-params.interfaces.1.ipv4-address "192.168.103.1/24" -s sid.txt

mgmt_cli logout --session-id "$SID"

Don_Paterson · ‎2026-01-19

Hey Aaron,

Excellent. You're welcome.

Thanks for the feedback.

One small thing. It's my mistake - You can take out the last part, -s sid.txt.

That's only for when the SID is saved to file.

All the best,

Don

Don_Paterson · ‎2026-01-19

If the API command fails you could test using the vsx_provisioning_tool directly on the command line of the MDS.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_VSX_AdminGuide/Content/Topics-VSXG...

Example 2

Run the tool on the Multi-Domain Server in the context of the Domain Management Server called MyDomain.

Create a new Virtual System object called VS1 on the VSX Cluster object called VSXCluster1

In the new Virtual System object, on the interface eth4, add a VLAN interface with VLAN ID 100 and IPv4 address 1.1.1.1/24.

mdsenv MyDomain

vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VS1 vsx VSXCluster1, add interface name eth4.100 ip 1.1.1.1/24

Are you a member of CheckMates?

mgmt_cli vsx_provisioning_tool failing

vsx-provisioning-tool add-vd

vsx-provisioning-tool add-vd