cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Anti-Bot & Anti-Virus, IPS update error on Standby Member

Anti-Bot & Anti-Virus and/or IPS on Check Point (R80.20) standby node report error "Error: Update failed. Contract entitlement check failed. Could not reach 'updates.checkpoint.com'..." while updating.

Details

1. From standby node - Gaia web console => "Check for Updates", I get the error: "Could not connect to the Check Point Cloud. Check your connection settings..."

2. From standby node, tests from SSH (sk83520) :

- curl_cli -v -k https://updates.checkpoint.com/ => most of the time it doesn't work (timeout); sometimes it works.
- curl_cli to any other URL => most of the time it doesn't work (timeout), sometimes it works.
- ping public FQDN => most of the time it doesn't work (timeout), sometimes it works.
- On active node => it works, always.

3. From standby node, I can reach Internet gateway, and the other active node => no internal communication issues.

4. Already verified and applied sk43807 (all points with the exception of point 4).
fwha_forw_packet_to_not_active parameter is enabled on both nodes.

5. Licenses are OK (sk98665); with the exception of command cpstat antimalware -f update_status that is returning the error below (the same I'm seeing from SmartConsole):

AB Update status: up-to-date
AB Update description: Gateway is up to date.
Database version: 1906061756.
Package date: Thu Jun 6 11:00:00 2019
AB Next update description: The next update will be run as scheduled.
AB DB version: 1906061756
AV Update status: failed AV Update description: Update failed. Contract entitlement check failed. Could not reach "updates.checkpoint.com". Check proxy configuration on the gateway. AV Next update description: The next try will be within one hour.
AV DB version: 1906070837

I already read these CheckMates posts:

Update failed. Contract entitlement check failed

Problem accessing standby cluster member from non-local network

Any advice ?
 
Thank you very much,
Luca
0 Kudos
4 Replies
Kim_Moberg
Silver

Re: Anti-Bot & Anti-Virus, IPS update error on Standby Member

Which jumbo take do you run on this cluster?
Can you ping anything on the internet from standby member?

suspect is could be related to a bug discussed in this post.

https://community.checkpoint.com/t5/General-Topics/R80-20-Issue-Monitoring-standby-cluster-members-v...

Possible install R80.20 jumbo take 80 could help you out here.

 

Best Regards
Kim
0 Kudos
Highlighted

Re: Anti-Bot & Anti-Virus, IPS update error on Standby Member

Hello Kim,
thank you for your reply.

Well, we have Take_47 installed (latest General Availability release). Take_80 is not in General Availability yet.

Ping from standby member to the Internet seems to work with a strange behavior: most of the time I have to wait 10 seconds before getting the answer since I run the command; some other it answers immediately. The active member doesn't have this issue.

Example

[Expert@Firewall01:0]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

***WAIT 10 seconds***

64 bytes from 8.8.8.8: icmp_seq=6 ttl=57 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=57 time=16.8 ms
64 bytes from 8.8.8.8: icmp_seq=24 ttl=57 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=32 ttl=57 time=16.8 ms
64 bytes from 8.8.8.8: icmp_seq=34 ttl=57 time=16.8 ms

It's very strange issue.

However, I'm going to open an SR for this.

Bye,
Luca

0 Kudos

Re: Anti-Bot & Anti-Virus, IPS update error on Standby Member

Hello,
here an update.

I opened an SR and support suggested to install Take 80 they provided. The issue was resolved however a new problem appeared; a lot of these entries inside /var/log/messages:

Jun 10 17:33:52 2019 FIREWALL01 last message repeated 2 times
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=2 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=2 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=2 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=2 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=2 flags=1 opcode=15)
Jun 10 17:33:53 2019 FIREWALL01 kernel: [fw4_3];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=8 flags=1 opcode=15)

They are aware about this. It appears in some Check Point environments, and, in some of them it caused an impacts.

Bye,
Luca

0 Kudos

Re: Anti-Bot & Anti-Virus, IPS update error on Standby Member

Hi Luca,

 

Not sure if you're still experiencing these errors, but they are solved in JHF 103.

See sk158312 

This problem was fixed. The fix is included in:

Regards,

 

Pieter

0 Kudos