Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SinisaZG
Participant
Participant

Error: Update failed. Contract entitlement check failed on VSX deployment

A few days ago an error appeared on one of the two VSX gateways ( one is fine, no errors):

Status Failed (Anti-bot, anti-virus)
Description Update failed. Contract entitlement check failed. Could not reach "updates.checkpoint.com". Check DNS and Proxy configuration on the gateway.
Next update The next try will be within one hour

I have three virtual systems - an error is displayed on all of them.

I tried to reboot the VSX gateway several times  on which the problem is present - no luck

I tried to deinstall/install Anti-virus, Anti-bot - no  luck 

Output of command curl_cli -v -k https://updates.checkpoint.com/WebService/services/DownloadMetaDataService ;

* Trying 23.212.89.172...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (23.212.89.172) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Fri Mar 1 13:11:27 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri Mar 1 13:11:27 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Dec 31 11:43:57 2023 GMT
* expire date: Jan 31 11:43:56 2025 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Content-Type: text/xml;charset=UTF-8
< Content-Length: 410
< Server: Apache-Coyote/1.1
< Date: Fri, 01 Mar 2024 12:11:27 GMT
< Connection: keep-alive

System is on R81.20, Take 38
I know there are a lot of posts like mine and  I have tried everything from similar posts listed

I'm out of ideas.....

 

0 Kudos
10 Replies
_Val_
Admin
Admin

Looks like there is an issue with the certificate validation. Please open a TAC ticket for this.

0 Kudos
SinisaZG
Participant
Participant

Thank you Val, I will do so.

0 Kudos
Lesley
Advisor

Are you talking about an error on VSX itself or on the VS?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
SinisaZG
Participant
Participant

On VSX and on VS... 

0 Kudos
Lesley
Advisor

Is the error on gateway, mgmt or both?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
SinisaZG
Participant
Participant

You got me thinking.... you mean when I try command  curl_cli -v -k ? 

I just tried to do this on a VSX GTW that is ok and  on a management server.... the output is the same on all three examples regarding  the certificate validation.

servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Dec 31 11:43:57 2023 GMT
* expire date: Jan 31 11:43:56 2025 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

Issue is only with Anti-bot, Anti-virus Blades only on one  VSX gateway in Cluster ( other is fine)

 

 

 

 

0 Kudos
Lesley
Advisor

I mean the update failed error. You see it on gateway or mgmt or both? 

the certificate error is not related to this issue. 

also assume the issue is only on the standby member? If you do failover the problem then moves to other new standby member?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
SinisaZG
Participant
Participant

Update failed error is related only to Anti-bot, Anti-virus Blades - Gateway Blades. Everything else is fine.

You are right. The issue is with the "standby" member, (it's not classic HA because of the VSLS and a customer who often uses its features.)

I will test with failover and try to see the results.... thanks for your reply.

 

 

 

 

 

SinisaZG
Participant
Participant

I did a failover, I tested with different options vsx_util vsls, admin up|down, cphastop|start.

Error is present only on one gateway (no matter if it is a active or standby) and is now present in two out of three virtual systems just for Anti-Virus Update Status . Anti-Bot Update Status is ok now.

So far it has been a problem with all three virtual systems (Anti-Virus&Anti-Bot)

Before failover I also tested connection with

# curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com

curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://secureupdates.checkpoint.com

curl_cli -v http://cws.checkpoint.com

https://support.checkpoint.com/results/sk/sk105757

 

and checked status of parameter 'fwha_forw_packet_to_not_active' and its set to 1

https://support.checkpoint.com/results/sk/sk43807

Right now it's quite confusing and I'm out of ideas so I am waiting for feedback from TAC

0 Kudos
the_rock
Legend
Legend

I would say this might be worth TAC case, as you also rebooted the gateway, but no luck.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events