Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

SmartConsole unable to connect after Security Management server upgrade from R77.30 to R80.30.

Hello,

I wanted to ask some help. We're trying to upgrade our enterprise firewalls from R77.30 to R80.30. Starting with the management server.

The upgrade process goes without error(except some that were rectified when the pre-upgrade verifier brought them up). We get to the point when the Management Server goes up and cpstart and everything is good. This is after the database import from the old version.

And the client(SmartConsole) can not connect to the Management server.

The client complains: 

Unable to connect to server.
Please make sure that the server is up and running.

(The host is in the allowed client list and the ports are opened, the log reflects access attempts)

cpm.elg:

25/10/19 18:16:09,328 ERROR dleserver.internal.DefaultExceptionMapper [qtp-1038525279-89]: Internal runtime error
CpmGeneralException{base='com.checkpoint.management.is.exceptions.CpmGeneralException: Unable to connect to server.
Please make sure that the server is up and running.', errorCode='CP_ERR_COULD_NOT_CONNECT_FWM', errorFamily='null', messageForUser='Unable to connect to server.
Please make sure that the server is up and running.', message='Unable to connect to server.
Please make sure that the server is up and running.'}
at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.createFwmConnectionException(LoginSvcImpl.java:2268)
at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.authenticateUserByFwm(LoginSvcImpl.java:796)
at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.authenticateUser(LoginSvcImpl.java:2586)
at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.authenticate(LoginSvcImpl.java:1340)
at com.checkpoint.management.dleserver.coresvc.internal.LoginSvcImpl.login(LoginSvcImpl.java:1808)
at com.checkpoint.management.web_services.dleserver.internal.LoginSvcRemoteImpl.loginNew(LoginSvcRemoteImpl.java:133)
at sun.reflect.GeneratedMethodAccessor1178.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)
at org.apache.cxf.jaxws.JAXWSMethodInvoker.performInvocation(JAXWSMethodInvoker.java:66)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)
at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:232)
at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:85)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at java.util.concurrent.FutureTask.run(FutureTask.java:277)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$2.run(ServiceInvokerInterceptor.java:126)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:131)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:497)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:812)

 

[Expert@fwmanager:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 27203 E 1 [18:00:30] 25/10/2019 N cpviewd
CPVIEWS 27206 E 1 [18:00:30] 25/10/2019 N cpview_services
CPD 27232 E 1 [18:00:30] 25/10/2019 Y cpd
FWD 27297 E 1 [18:00:31] 25/10/2019 N fwd -n
FWM 27301 E 1 [18:00:31] 25/10/2019 N fwm
STPR 27334 E 1 [18:00:31] 25/10/2019 N status_proxy
CPM 27706 E 1 [18:00:32] 25/10/2019 N /opt/CPsuite-R80.30/fw1/scripts/cpm.sh -s
SOLR 28283 E 1 [18:00:33] 25/10/2019 N java_solr /opt/CPrt-R80.30/conf/jetty.xml
RFL 28460 E 1 [18:00:33] 25/10/2019 N LogCore
SMARTVIEW 28534 E 1 [18:00:33] 25/10/2019 N SmartView
INDEXER 28565 E 1 [18:00:33] 25/10/2019 N /opt/CPrt-R80.30/log_indexer/log_indexer
SMARTLOG_SERVER 28596 E 1 [18:00:33] 25/10/2019 N /opt/CPSmartLog-R80.30/smartlog_server
DASERVICE 28773 E 1 [18:00:34] 25/10/2019 N DAService_script
LPD 29655 E 1 [18:01:39] 25/10/2019 N lpd
CPSM 30354 E 1 [18:02:50] 25/10/2019 N cpstat_monitor

[Expert@fwmanager:0]# $FWDIR/scripts/cpm_status.sh
Check Point Security Management Server is running and ready

I'm running out of ideas right now on what to try to rectify this.

 

The replacement R80.30 server runs in a seperate VLAN with 0 network access other than inside its own VLAN. Meaning the GW is N/A.

DNS is enabled however, through my own workstation, which is sitting in the VLAN with 1 interface.


The licenses are all present successfully after the import, so I've assumed thus far that I've no need to do anything with them. The servers IP is also unchanged.

 

Any help would be appreciated. 

Apologies ahead of time is this is posted in the wrong section of the forum or if this is not the place for complaints.

 

Thanks for reading.

 

 

 

 

 

0 Kudos
2 Replies
Highlighted
Admin
Admin

Please verify you have connectivity between your SmartConsole machine and management in TCP ports 443, 18190, and 19009.
A simple telnet to the management server should suffice for this, or a tcpdump.
Highlighted
Explorer

Good evening,

Apologies, the issue was rather simple.

The login error was generated because the imported DB set up the accounts properly and thus they were supposed to be able to access the Active Directory server but since the new replacement management DB was setup in a seperate VLAN with no gateway access on its subnet, it simply was not able.

And the issue was resolved by simply logging in with our managements local account(recovery account).

Thanks for the response.

0 Kudos