cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Failed to parse CP site response

In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.

Has anyone else seen this, anyone resolved it?

It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.

note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.

HeaderDateHour:  4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

and also:

HeaderDateHour:  1Feb2020  9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network;

 

0 Kudos
16 Replies
Highlighted

Re: Failed to parse CP site response

Looks like a RAD error - i would contact TAC to find the error and provide a fix.

0 Kudos
Highlighted

Re: Failed to parse CP site response

Thanks fir the reply; what is a RAD error?

Does it seem likely that a ‘RAD error’ would occur on two entirely unrelated sites simultaneously?

Am I really the only person seeing these alerts?

0 Kudos
Highlighted
Nickel

Re: Failed to parse CP site response

You're not the only one. I have checked our logs and I also see these messages. 

They are almost exclusively related to URL shorteners (bit.ly, goo.gl,...) if that helps in any way.

The log also provides the path on the gateway, where additional debugging info can be found. Check if it contains anything useful. 

RAD: Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.

0 Kudos
Highlighted

Re: Failed to parse CP site response

What Jumbo HFA are you using?  These new diagnostic messages may be related to the multithreading of the RAD daemon in take 107+, see sk163793 and p. 412 of the third edition of my book.  Diagnostics for this critical process were improved as well, so these messages now appearing are not necessarily indicative of a new problem.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Failed to parse CP site response

I also hit a similar issue last night when I migrate a Full HA R77.20 to Distributed R80.30 with JHF 111 and IPS, Anti-bot and Anti-virus enabled. A log is generated every minute with Reason Failed to handle CP site request and a log file. Also the description is Error occur while accessing /sdktunnel. Today I found that almost all of the workers in the company has problem with slow browsing the Internet. There was no indication that the GW is under load or it's processing too much traffic. After disabling the Anti-bot and Anti-virus the browsing went smooth.  I still have other work to do to finish the migration and probably after that I will open a case with TAC.

 

sss.png

Highlighted

Re: Failed to parse CP site response

We have same issue. New clusterXL HA installation, R80.30 3.10 take 300 (JHF 140), with Antivirus & Antibot active blades...

 
 

2020-02-21 17_15_54-Log Details.png

0 Kudos
Highlighted
Nickel

Re: Failed to parse CP site response

Hey, 

 

Did anymore figure out about these goo.gl errors ? It generates hundreds of alerts through out the day.

I am running R80.30 with take 140.

 

 HeaderDateHour:  2Mar2020 12:59:15; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 726; Action: ctl; Origin: Xxxxx; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_15994_12677760 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

0 Kudos
Highlighted
Ivory

Re: Failed to parse CP site response

I certainly did not find a solution yet. They are as Borut stated, always goo.gl and bit.ly type sites that are failing to parse.

It's clearly not an isolated issue for a single user, I have it on multiple sites

I might do a little debugging myself at some point, but if anyone from Check Point knows why this has suddenly started happening it would be good to know!

0 Kudos
Highlighted

Re: Failed to parse CP site response

Hello,

I believe it's a problem with categorization of the resource - RAD can't do it properly and cause CPU consumption and slowness of the Internet traffic.

My next steps to check are first try this:

Capture.JPG

 

and then in Threat prevention policy there is something called Indicators and my point is to try to add my resource and play with Inactive and Detect mode and see what will happen.

 

I'm pretty sure in both cases it will still generate a lot of logs but I have to try.

0 Kudos
Highlighted
Employee+
Employee+

Re: Failed to parse CP site response

Hey Martin,
We will look into this. Did you open a case with TAC by any chance? what is the SR #?
0 Kudos
Highlighted

Re: Failed to parse CP site response

Hi @TP_Master , not yet.

 

I'll be at the customer's site this week and will do some debugs and maybe I'll open a case.

0 Kudos
Highlighted

Re: Failed to parse CP site response

I am having the same issue at a customer site.  R80.30 JHF Take 140.  I will have them open a TAC case tomorrow on this.  We have a migration this afternoon so no time for troubleshooting this.

0 Kudos
Highlighted

Re: Failed to parse CP site response

In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.

0 Kudos
Highlighted

Re: Failed to parse CP site response

What debug did you run during the chat with the support? I believe next week I will have to open a case with the support but the system is in production and don't want to interrupt the traffic to do few debugs one at a time so I want to be maximum prepared with all the needed info.

0 Kudos
Highlighted

Re: Failed to parse CP site response

I have been requested to send certain log files, in order to analyze them, without service stops

0 Kudos
Highlighted
Ivory

Re: Failed to parse CP site response

good day, we have the same problem with r80.40 and just opened a case for half a week. br alois

0 Kudos