Anti-Bot & Anti-Virus and/or IPS on Check Point (R80.20) standby node report error "Error: Update failed. Contract entitlement check failed. Could not reach 'updates.checkpoint.com'..." while updating.
Details
1. From standby node - Gaia web console => "Check for Updates", I get the error: "Could not connect to the Check Point Cloud. Check your connection settings..."
2. From standby node, tests from SSH (sk83520) :
- curl_cli -v -k https://updates.checkpoint.com/ => most of the time it doesn't work (timeout); sometimes it works.
- curl_cli to any other URL => most of the time it doesn't work (timeout), sometimes it works.
- ping public FQDN => most of the time it doesn't work (timeout), sometimes it works.
- On active node => it works, always.
3. From standby node, I can reach Internet gateway, and the other active node => no internal communication issues.
4. Already verified and applied sk43807 (all points with the exception of point 4).
fwha_forw_packet_to_not_active parameter is enabled on both nodes.
5. Licenses are OK (sk98665); with the exception of command cpstat antimalware -f update_status that is returning the error below (the same I'm seeing from SmartConsole):
AB Update status: up-to-date
AB Update description: Gateway is up to date.
Database version: 1906061756.
Package date: Thu Jun 6 11:00:00 2019
AB Next update description: The next update will be run as scheduled.
AB DB version: 1906061756
AV Update status: failed AV Update description: Update failed. Contract entitlement check failed. Could not reach "updates.checkpoint.com". Check proxy configuration on the gateway. AV Next update description: The next try will be within one hour.
AV DB version: 1906070837
I already read these CheckMates posts:
- Update failed. Contract entitlement check failed
- Problem accessing standby cluster member from non-local network
Any advice ?
Thank you very much,
Luca