This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Manoj_Kumar3
Participant
‎2018-07-25 04:06 AM
Jump to solution

Installation failed on one of Active gateway: Failed - Installation failed. Reason: Load on Module failed - failed to load Security Policy.

While installing the firewall policy (MDS on Gaia R80.10 and gateway on Gaia R77.30) I am getting below error : 
"Installation failed. Reason: Load on Module failed - failed to load Security Policy."
I tried to cpstop; cpstart but issue not resolved also when i reboot the firewall issue got resolved.

I do not want to reboot/ restart the services to resolve this issue.

When i have seen the cpd.elg file it give me below output:

Failed to Load Security Policy: Bad address

Followed sk33893->sk105708 but does not find any non-ASCII characters.

Can anyone help me how i can resolve this issue as reboot is not a solution.

1 Solution

Accepted Solutions
Ivan_Moore
Contributor
‎2018-07-25 04:12 PM
Jump to solution

We had this problem plague us after upgrading our MGMT to 80.10.  Came to find out it was the strings dictionary table filling up.  For us at least that was the issue.  I think that somehow things got horked up with the upgrade and the entries were no longer lining up.  I would check that and see if it is your problem.  

fw -i 0 tab -t string_dictionary_table -s

fw -i 0 tab -t string_dictionary_table | grep limit

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2018-07-25 05:20 AM
Jump to solution

There are several potential causes for this error documented here: 'Installation failed. Reason: Load on Module failed - failed to load security policy' erro... 

You may need to review multiple of these issues to find what is causing it.

The TAC should also be able to assist with this as well.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-07-25 05:56 AM
Jump to solution

On the gateway (not SMS) where the policy load is failing, try this command to find any non-ASCII characters in the compiled policy located on the gateway, it will highlight the offending characters if there are any:

file $FWDIR/state/local/FW1/* | grep "ASCII text" | cut -d: -f1 | xargs grep --color='auto' -P -n "[\x80-\xFF]"

Also have you seen this SK: sk103511: "Failed to Load Security Policy: Bad address" error on policy installation failure

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Manoj_Kumar3
Participant
‎2018-08-07 02:53 AM
In response to Timothy_Hall
Jump to solution

I tried to run "file $FWDIR/state/local/FW1/* | grep "ASCII text" | cut -d: -f1 | xargs grep --color='auto' -P -n "[\x80-\xFF]" this script on problematic gateway but no output.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-08-07 06:19 AM
In response to Manoj_Kumar3
Jump to solution

All that means is that you don't have any non-ASCII characters in your compiled policy which can be one of the many causes of this issue. TAC will need to run a debug of the policy installation on the gateway to determine what problematic element of the compiled policy is aborting the load into the kernel.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Ivan_Moore
Contributor
‎2018-07-25 04:12 PM
Jump to solution

We had this problem plague us after upgrading our MGMT to 80.10.  Came to find out it was the strings dictionary table filling up.  For us at least that was the issue.  I think that somehow things got horked up with the upgrade and the entries were no longer lining up.  I would check that and see if it is your problem.  

fw -i 0 tab -t string_dictionary_table -s

fw -i 0 tab -t string_dictionary_table | grep limit

Manoj_Kumar3
Participant
‎2018-08-06 10:58 PM
In response to Ivan_Moore
Jump to solution

[Expert@Hostname:0]# fw -i 0 tab -t string_dictionary_table -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost string_dictionary_table 8135 64191 64191 64191
[Expert@Hostname:0]# fw -i 0 tab -t string_dictionary_table | grep limit
dynamic, id 8135, attributes: keep level 2, expires never, , hashsize 128, limit 65536

Looks like limit is 65536 and current & peak value are 64191. Can you put some light based upon output.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top