Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Failed to parse CP site response

In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.

Has anyone else seen this, anyone resolved it?

It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.

note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.

HeaderDateHour:  4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

and also:

HeaderDateHour:  1Feb2020  9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network;

 

48 Replies
Highlighted
Champion
Champion

Looks like a RAD error - i would contact TAC to find the error and provide a fix.

0 Kudos
Reply
Highlighted
Collaborator

Thanks fir the reply; what is a RAD error?

Does it seem likely that a ‘RAD error’ would occur on two entirely unrelated sites simultaneously?

Am I really the only person seeing these alerts?

Highlighted
Contributor

You're not the only one. I have checked our logs and I also see these messages. 

They are almost exclusively related to URL shorteners (bit.ly, goo.gl,...) if that helps in any way.

The log also provides the path on the gateway, where additional debugging info can be found. Check if it contains anything useful. 

RAD: Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.

Highlighted
Champion
Champion

What Jumbo HFA are you using?  These new diagnostic messages may be related to the multithreading of the RAD daemon in take 107+, see sk163793 and p. 412 of the third edition of my book.  Diagnostics for this critical process were improved as well, so these messages now appearing are not necessarily indicative of a new problem.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Highlighted
Contributor

I also hit a similar issue last night when I migrate a Full HA R77.20 to Distributed R80.30 with JHF 111 and IPS, Anti-bot and Anti-virus enabled. A log is generated every minute with Reason Failed to handle CP site request and a log file. Also the description is Error occur while accessing /sdktunnel. Today I found that almost all of the workers in the company has problem with slow browsing the Internet. There was no indication that the GW is under load or it's processing too much traffic. After disabling the Anti-bot and Anti-virus the browsing went smooth.  I still have other work to do to finish the migration and probably after that I will open a case with TAC.

 

sss.png

Highlighted
Participant

We have same issue. New clusterXL HA installation, R80.30 3.10 take 300 (JHF 140), with Antivirus & Antibot active blades...

 
 

2020-02-21 17_15_54-Log Details.png

Highlighted
Contributor

Hey, 

 

Did anymore figure out about these goo.gl errors ? It generates hundreds of alerts through out the day.

I am running R80.30 with take 140.

 

 HeaderDateHour:  2Mar2020 12:59:15; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 726; Action: ctl; Origin: Xxxxx; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_15994_12677760 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

0 Kudos
Reply
Highlighted
Participant

I certainly did not find a solution yet. They are as Borut stated, always goo.gl and bit.ly type sites that are failing to parse.

It's clearly not an isolated issue for a single user, I have it on multiple sites

I might do a little debugging myself at some point, but if anyone from Check Point knows why this has suddenly started happening it would be good to know!

Highlighted
Contributor

Hello,

I believe it's a problem with categorization of the resource - RAD can't do it properly and cause CPU consumption and slowness of the Internet traffic.

My next steps to check are first try this:

Capture.JPG

 

and then in Threat prevention policy there is something called Indicators and my point is to try to add my resource and play with Inactive and Detect mode and see what will happen.

 

I'm pretty sure in both cases it will still generate a lot of logs but I have to try.

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hey Martin,
We will look into this. Did you open a case with TAC by any chance? what is the SR #?
Highlighted
Contributor

Hi @TP_Master , not yet.

 

I'll be at the customer's site this week and will do some debugs and maybe I'll open a case.

0 Kudos
Reply
Highlighted
Participant

I am having the same issue at a customer site.  R80.30 JHF Take 140.  I will have them open a TAC case tomorrow on this.  We have a migration this afternoon so no time for troubleshooting this.

Participant

In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.

0 Kudos
Reply
Highlighted
Contributor

What debug did you run during the chat with the support? I believe next week I will have to open a case with the support but the system is in production and don't want to interrupt the traffic to do few debugs one at a time so I want to be maximum prepared with all the needed info.

0 Kudos
Reply
Highlighted
Participant

I have been requested to send certain log files, in order to analyze them, without service stops

0 Kudos
Reply
Highlighted
Participant

good day, we have the same problem with r80.40 and just opened a case for half a week. br alois

Highlighted
Contributor

We've had these since upgrading to R80.30. From the info we got there's no solution, but it will be fixed in some future hotfix. 

it sucks that the system alert logging is flooded due to this.

Highlighted
Participant

hi, we still had the same problem with r80.30 and even worse with secure xl / dns, cpu load. we solved the problem - we changed the manufacturer.we are very disappointed with the checkpoint since r80x it is no longer enterprise but beta software and support is a disaster.cheers lois
Highlighted
Participant

We're seeing the same problems here on R80.20

0 Kudos
Reply
Highlighted
Participant

we also had the same problems with 80.40 and the support left us completely in the lurch, so as I said, solved by changing the manufacturer
Highlighted
Collaborator

We have same issue with R80.20 JHFA Take 134. The numbers jumped today when we updated our protected scope for the Ant-Bot blade (it was already enabled but today we "applied" it to monitor more sources.). Every URL I've seen in the errors are bit.ly.

The lack of information on Secure Knowledge is disappointing. This is obviously not an isolated issue.

Dave

0 Kudos
Reply
Highlighted
Collaborator

Yes @David_Charnon we are still seeing this on multiple sites. Just this morning in fact for one.

 

 HeaderDateHour: 17Jun2020  9:11:31; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 15; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:bit.ly; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8549_24718 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

This site is R80.30 Hotfix 111

I think I've seen it on R80.40 too but not this week.

0 Kudos
Reply
Highlighted
Contributor

Yes, I also observe it on R80.40. 

 

The error message I see in R80.40 is a bit different, but the effect is the same - slow browsing to some sites: Error occur while xxxx.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.40/fw1/log/rad_events/Errors/flow_15870_127341 For more details; severity: 3; ProductName:

 and is observed with Anti-bot, Anti-malware and URL filtering.

 

 

0 Kudos
Reply
Highlighted
Explorer

Hi,

 

I opened to chat about this issue and support advised ongoing Take_210 Jumbo Hotfix. Maybe you can try to install and check it.

 

Regards.

0 Kudos
Reply
Highlighted
Participant

Hello

 

Did installing JHF210 solved our problem.

We are fighting with that for some time, but still without success.

We did got some custom hw_wrapper for JHF191 but tat ended up with GW crashes and we had to uninstall it. 

Now we have 196 but problem still persist,

 

K.

0 Kudos
Reply
Highlighted
Contributor

Hi,

We get a few of these alerts daily from our HA internet cluster. Currently R80.30 Build 200 however we have seen this issue for months now on various R80.30 builds.

Websites are usually goo.gl but can be bit.ly, akamaiedge and more recently a lot of WebEx. They can be individual or in a group of 2-3, sometimes more but usually just a handful.

 HeaderDateHour: 12Jul2020  4:13:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:cisco.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1186022 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 12Jul2020  4:12:12; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 5; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:e4343.x.akamaiedge.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185996 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 12Jul2020  4:08:43; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:async.zoom.us; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185920 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 11Jul2020 14:52:24; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:limited-prod.giphy.map.fastly.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1163257 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Ne twork;

 

More concerning was a recently alert referencing one of our own internet addresses.

 

Cheers,

Paul.

0 Kudos
Reply
Highlighted
Contributor

5 more emails fresh in.

 

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243206 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 14; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243207 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:d8rk54i4mohrb.cloudfront.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243211 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network ;

 HeaderDateHour: 13Jul2020 10:31:50; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 9; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:9772e8e882bb9041133b6abea710b0fa.safeframe.googlesyndication.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243221 For more details; severity: 3; ProductName: A nti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:32:03; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243227 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:04; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ezodn.com/detroitchicago/boise.js?gcb=188-1&cb=1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243250 For more details; severity: 3; ProductName: Anti Malware; Pr

oductFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:05; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ce.lijit.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243265 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:32:18; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 28; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net/detroitchicago/audins.js?cb=188-1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243289 For more details; severity: 3; ProductName: Anti Malware; Prod

uctFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:edge.quantserve.com/quant.js; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243295 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Networ k;

 

---

 HeaderDateHour: 13Jul2020 10:32:25; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:ct.pinterest.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243313 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 21; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243368 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243369 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

0 Kudos
Reply
Highlighted
Contributor

any performance impact? high cpu usage of RAD process ?
0 Kudos
Reply
Highlighted
Contributor

I do not know what the RAD processes are or how to check it's utilisation. ssh in and use TOP or is there some other tool more specifically designed for that?

0 Kudos
Reply