This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnnyringo
Advisor
‎2020-01-22 07:33 AM

Deployment failure in GCP - 504 Resource Error, Timeout expired.

We're having zero luck deploying the CheckPoint CloudGuard IaaS R80.30 High Availability in our enterprise GCP account.  In the GCP Deployment Manager, the deployment hangs for 30 minutes, eventually getting this error:

{"ResourceType":"runtimeconfig.v1beta1.waiter","ResourceErrorCode":"504","ResourceErrorMessage":"Timeout expired."}

I also get the same error if I launch the standalone gateway with External IP requested.  As a work-around, I can set the External IP to "None", watch the deployment succeed, then add it later.

I do not have any problems deploying in my personal GCP account, so fairly certain this is a permissions or connectivity issue relating to API calls.

 

DeployFailure.png

5 Replies
AyGit
Contributor
‎2021-04-21 08:49 AM

Hi @johnnyringo 

Did you solved the issue?

 

Regards

johnnyringo
Advisor
‎2021-04-21 10:20 AM
In response to AyGit

Yes, It was due to our Compute Engine default service account being disabled, which had been recommended by our Google onboarding team.  The account also needs permission to create external IP addresses.  Here we are 1 year and I don't think CheckPoint ever mentions this requirement in their documentation, so I wrote a blog post:

Deploying CheckPoint CloudGuard IaaS High Availability in GCP

 

 

AyGit
Contributor
‎2021-04-22 10:19 AM
In response to johnnyringo

The default service account is already enabled

2021-04-22_18h09_36.png

and we have also the permission to create external addresses (I can view both IP address in GCP > VPC Network > External IP addresses).

We deployed again the template in GCP and are facing with the same message error.

johnnyringo
Advisor
‎2021-04-22 01:40 PM
In response to AyGit

There's many things that can cause this.  Another requirement is that "Private google access" must be enabled for all relevant subnets, although I think there's a more descriptive error message if it fails for that reason.  

You can of course open a support case with CheckPoint, but honestly our support experiences with the GCP projects have been horrible.    Our Google SE ultimately proved to be much more helpful than CheckPoint in diagnosing the problem by looking at logs on their end, although I didn't catch exactly where he was looking.

I do know the template itself is OK, because I successfully deployed a fresh R80.30 and R80.40 BYOL clusters this morning.

 

0 Kudos
AyGit
Contributor
‎2021-04-22 01:53 PM
In response to johnnyringo

‘Privâtes Google access’ is well configured ...

I’ve deployed the template in my personal environment too and it works good. 

We’ll go in deep in the gcp logs 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events