This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Advisor
‎2024-10-08 04:31 AM
Jump to solution

Error code: 0-1-2000096 while installing policy

Hi everyone!

 

Setup: Newly installed ClusterXL+SMS (R81.20 JHF Take 84)

The standby member was not updating its IPS database, and in order make it work, I followed sk43807 and added the ports and protocols to the table.def file on the SMS. It worked perfectly fine and the standby member was able to update its IPS database to the same version as the active node.

Although the standby member can update its IPS version, the output of fw tab -t no_hide_services_ports -u does not show the ports and protocols that I added through the table.def file.

After that, I deleted the added ports and protocols from the table.def file and clicked on 'Install Policy'. It failed with the following error message:

"Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-1-2000096)."

I have already looked up the error code on support.checkpoint.com, and read the only two CheckMates links that it gave me (this and this). I also read all the seemingly similar SKs about policy installation errors. However there is no information about this specific error code.

Additionally, I tried replacing the table.def file from another newly installed setup, removed and reinstalled JHF package, used policy_debug.sh, manually debugged cpm, fwm, fwd and cpd processes while installing policy. I found nothing that seems useful.

Threat Prevention policy installs with no issues.

It is just a lab, but I wonder what I would do if one of our customers had a similar issue (before opening a TAC ticket). I don't think opening a TAC ticket for my case is currently necessary.

 

Where else can I look? Did anyone else encounter such an issue? 

 

Cheers!

0 Kudos
1 Solution

Accepted Solutions
kamilazat
Advisor
‎2024-10-08 05:39 AM
In response to Gaurav_Pandya
Jump to solution

@Gaurav_Pandya doing # fw fetch <IP-of-SMS> told me this:

Management rejected fetch for this module - sic name does not match.

Policy Fetch Failed

And then I went on and reestablished SIC on both nodes, and everything worked perfectly fine.

Thank you very much!

 

As a side note, it's kind of a shame that I didn't see anything related to non-matching SIC names in all the debugs I did.

View solution in original post

6 Replies
Gaurav_Pandya
Advisor
‎2024-10-08 05:00 AM
Jump to solution

Hi,

Try to fetch policy from below command, it will give more description why policy installation is failing.

#fetch policy <mgmt_IP>

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-10-08 05:07 AM
In response to Gaurav_Pandya
Jump to solution

Never heard of this commend - i always use

fw -d fetch <Master 1>

<Master 1> [<Master 2> ...]

Specifies the Check Point computer(s), from which to fetch the policy.

You can fetch the policy from the Management Server, or a peer Cluster Member.

G_W_Albrecht_0-1728389244783.png

 

Notes:

  • If you fetch the policy from the Management Server, you can enter one of these:

    • The main IP address of the Management Server object.

    • The object name of the Management Server.

    • The hostname that the Security Gateway resolves to the main IP address of the Management Server.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gaurav_Pandya
Advisor
‎2024-10-08 05:12 AM
In response to G_W_Albrecht
Jump to solution

Right. "fetch policy" is for SMB appliances. You need to run "fw fetch" command.

kamilazat
Advisor
‎2024-10-08 05:39 AM
In response to Gaurav_Pandya
Jump to solution

@Gaurav_Pandya doing # fw fetch <IP-of-SMS> told me this:

Management rejected fetch for this module - sic name does not match.

Policy Fetch Failed

And then I went on and reestablished SIC on both nodes, and everything worked perfectly fine.

Thank you very much!

 

As a side note, it's kind of a shame that I didn't see anything related to non-matching SIC names in all the debugs I did.

G_W_Albrecht
Legend Legend
Legend
‎2024-10-08 05:45 AM
In response to kamilazat
Jump to solution

If policy install fails for other reasons than time out, checking communication/SIC in Dashboard is always the first step before doing debugs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Exonix
Advisor
‎2025-02-27 09:38 AM
In response to kamilazat
Jump to solution

Hello All,

I have got the same problem, but after resetting the SIC in doesn't work again in a few minutes...

My infrastructure consists of two SMB 1900 devices managed over the Internet using SMS R81.20. The SMB 1900 doesn't support ClusterXL that's why I set up Small Office Cluster - is it correct Cluster for SMB 1900? Although the installation of policies does not work for me, the logs are recorded without problems, i.e. there is still some kind of communication between SMB and SMS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top