Re: Check Point Update Services down? -- Connectio...

StackCap43382

In process of patching a manager and CPUSE is failing to connect with error:

Connection Error, FDT - Unexpected error code.

According to SK this is a time issue but time is fine (Checked NTP):

https://support.checkpoint.com/results/sk/sk165373

Performed a Packet capture between device and check point services and connection is reset after several change of cipher messages.

Checked other devices and same issue.

Even my lab has the same issue.

Raising ticket with vendor now.

Anyone else seeing this?

Cluster is on R81.20 T113 Attempting to patch to T120

============================ UPDATE! ============================

R&D have responded that there is a new DA build for this issue that will be released on SUNDAY.

I am awaiting further details.

CCSME, CCTE, CCME, CCVS

Tal_Paz-Fridman

I think it is probably related to this:

https://support.checkpoint.com/results/sk/sk184766

Certificate and CRL validation fails from March 1, 2026

_Val_

Second that. Please apply the mentioned workaround from the SK and see if it helps

StackCap43382

SK mentions R82 & R82.10 estate is R81.20.

My LAB CPUSE is able to dial cloud services now so looks like an intermittent issue.

CCSME, CCTE, CCME, CCVS

Robin_H

Here, it did not help. It might not even be related...

I had the FDT error, starting at 2026-03-01 - 16:08:56 CET on one cluster member and it still occurs after having installed the hotfix.

Now, the other member also had the FDT error in the DA_UI.log, starting at 2026-03-01 - 18:40:48 CET but was able to successfully check for updates again an hour before I installed the hotfix.

Edit: cluster on R82 JHF60.

simonemantovani

Hello

if you take a look here https://community.checkpoint.com/t5/Firewall-and-Security-Management/Certificate-and-CRL-validation-... as suggested by @_Val_ try to apply the workaround.

Give it a chance (if not already done).

Robin_H

I applied Check_Point_R82_JHF_T44_TIME_FIX_MAIN_MAIN_Bundle_T5_FULL.tar
I extended the CRL Grace period of “Grace period before the CRL is valid” and “Grace period extension for SecuRemote/SecureClient” properties to 93600 seconds.
I ran the cpca_client recreate_crls Clish command

Result of the "Check for Updates in the WebUI" is still the "Connection error, FDT - Unexpected error code".

Using the test from GAIA WebUi Failed to receive updates from Check Point Download Center. Please verify a valid license :

[Expert@management:0]# curl_cli -v https://updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
*   Trying 18.245.31.62...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (18.245.31.62) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Mar  4 11:51:32 2026
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Mar  4 11:51:32 2026
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* err is -1, detail is 1
* errdetail=0x1416f086
ERR_lib_error_string: SSL routines
 ERR_func_error_string: tls_process_server_certificate
 ERR_reason_error_string: certificate verify failed
 ERR_error_string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[Expert@Management:0]#


[Expert@Management:0]# curl_cli -v -k https://updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
*   Trying 18.245.31.99...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (18.245.31.99) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Mar  4 11:57:57 2026
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Mar  4 11:57:57 2026
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* err is -1, detail is 2
* *** Current date is: Wed Mar  4 11:57:57 2026
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Jun  3 12:12:04 2025 GMT
*  expire date: Jul  5 12:12:03 2026 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Content-Length: 15
< Connection: keep-alive
< Date: Wed, 04 Mar 2026 10:57:57 GMT
< Server: awselb/2.0
< X-Cache: Error from cloudfront
< Via: 1.1 193d38535c6cb246e365763e9c32e672.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: FRA56-P8
< X-Amz-Cf-Id: IlLy5TYKtAMWmERzDKYyzujfqJNFsv0xayt6irMetfEU6Q3ArmMxfQ==
<
* Connection #0 to host updates.checkpoint.com left intact
Page not found!
[Expert@Management:0]#

StackCap43382

So to skip the replies this is a R81.20 estate not R82 so there is no CRL FIX.

I've raised it with TAC.

I've luckily been able to duplicate the issue in a LAB.

HA MDS with the Secondary node having the "Connection Error, FDT - Unexpected error code" issue.

Same version, patch firewall and rules being applied.

CCSME, CCTE, CCME, CCVS

StackCap43382

UPDATE!

R&D have responded that there is a new DA build for this issue that will be released on SUNDAY.

I am awaiting further details.

CCSME, CCTE, CCME, CCVS

Boaz_Orshav

Hi

Can you please send me the /opt/CPInstLog/DeploymentAgent.log ?

I'd like to verify the error you encounter

boazo@checkpoint.com

Thanks

Petr_Javorovsky

[2026-03-05 - 10:27:38][26023 26023]:<><><> Setting log_file to: /opt/CPInstLog//DAClient.log <><><>
[2026-03-05 - 10:27:38][6011 6011][HIGH DALOG_NORMAL]: getActionPackage::Action status with ID=-1, does not exist in memory.
[2026-03-05 - 10:27:38][6011 6011][HIGH DALOG_NORMAL]: replacePkgName::Action status with ID=-1, not found.
[2026-03-05 - 10:27:38][6011 6011]:Got request: 4
[2026-03-05 - 10:27:38][6011 6011]:additional data: role=, aux=
[2026-03-05 - 10:27:38][6011 6011][HIGH MSG_RECIEVED_UPDATE_REQUEST]: Received a request to update the available packages. Performing update.
[2026-03-05 - 10:27:38][6011 6282][HIGH DALOG_NORMAL]: Updater thread woke up from signal after 37 seconds of sleep
[2026-03-05 - 10:27:38][6011 6282][HIGH DALOG_NORMAL]: Last check for update occurred 13 minutes ago, checking for updates
[2026-03-05 - 10:27:38][6011 6282][HIGH MSG_UPDATER_CHECKING_FOR_PKGS]: Checking for new available packages...
[2026-03-05 - 10:27:38][6011 6282][HIGH DALOG_NORMAL]: Trying to get CKs list.
[2026-03-05 - 10:27:38][6011 6282]:Using filter OS: Gaia
[2026-03-05 - 10:27:39][6011 6282]:FDT_get_data returned error number 31 - FDT - Unexpected error code
[2026-03-05 - 10:27:39][6011 6282][HIGH MSG_DC_DETAILS]: Connected to https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl; authentic
ation: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
[2026-03-05 - 10:27:39][6011 6282][HIGH DALOG_NORMAL]: Could not connect to the download center
[2026-03-05 - 10:27:39][6011 6282][HIGH DALOG_NORMAL]: Setting update failure reason to: 1
[2026-03-05 - 10:27:39][6011 6282][HIGH DALOG_NORMAL]: Communication error, retrying. (retries left:1)
[2026-03-05 - 10:27:54][6011 6282][HIGH DALOG_NORMAL]: Trying to get CKs list.
[2026-03-05 - 10:27:55][6011 6282]:Using filter OS: Gaia
[2026-03-05 - 10:27:56][6011 6282]:FDT_get_data returned error number 31 - FDT - Unexpected error code
[2026-03-05 - 10:27:56][6011 6282][HIGH MSG_DC_DETAILS]: Connected to https://updates.checkpoint.com/WebService/services/DownloadMetaDataService?wsdl; authentic
ation: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
[2026-03-05 - 10:27:56][6011 6282][HIGH DALOG_NORMAL]: Could not connect to the download center
[2026-03-05 - 10:27:56][6011 6282][HIGH DALOG_NORMAL]: Setting update failure reason to: 1
[2026-03-05 - 10:27:56][6011 6282][HIGH MSG_COULDNT_ADD_PRIVATE_PKG_CONNECTION_ERROR]: Cannot establish connection with the Check Point cloud.
[2026-03-05 - 10:27:56][6011 6282][HIGH MSG_NO_NEW_PKGS_FOUND]: Did not find any new packages
[2026-03-05 - 10:27:56][6011 6282][HIGH MSG_DOWNLOADS_NOT_AUTHORIZED]: The administrator did not authorize downloads, not performing update
[2026-03-05 - 10:27:56][6011 6282][HIGH DALOG_NORMAL]: Updater going to sleep for 168 hours

StackCap43382

New deployment agent 2742 has been released and has fixed the connectivity issue in my LAB.

DA SK has not yet been updated and I'm not seeing all devices picking up the new DA yet so its still rolling out.

CCSME, CCTE, CCME, CCVS

Are you a member of CheckMates?

Check Point Update Services down? -- Connection Error, FDT - Unexpected error code