This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Manoj_Kumar3
Participant
‎2018-07-25 04:06 AM

Installation failed on one of Active gateway: Failed - Installation failed. Reason: Load on Module failed - failed to load Security Policy.

Jump to solution

While installing the firewall policy (MDS on Gaia R80.10 and gateway on Gaia R77.30) I am getting below error : 
"Installation failed. Reason: Load on Module failed - failed to load Security Policy."
I tried to cpstop; cpstart but issue not resolved also when i reboot the firewall issue got resolved.

I do not want to reboot/ restart the services to resolve this issue.

When i have seen the cpd.elg file it give me below output:

Failed to Load Security Policy: Bad address

Followed sk33893->sk105708 but does not find any non-ASCII characters.

Can anyone help me how i can resolve this issue as reboot is not a solution.

1 Solution

Accepted Solutions
Ivan_Moore
Contributor
‎2018-07-25 04:12 PM

Jump to solution

We had this problem plague us after upgrading our MGMT to 80.10.  Came to find out it was the strings dictionary table filling up.  For us at least that was the issue.  I think that somehow things got horked up with the upgrade and the entries were no longer lining up.  I would check that and see if it is your problem.  

fw -i 0 tab -t string_dictionary_table -s

fw -i 0 tab -t string_dictionary_table | grep limit

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2018-07-25 05:20 AM

Jump to solution

There are several potential causes for this error documented here: 'Installation failed. Reason: Load on Module failed - failed to load security policy' erro... 

You may need to review multiple of these issues to find what is causing it.

The TAC should also be able to assist with this as well.

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-07-25 05:56 AM

Jump to solution

On the gateway (not SMS) where the policy load is failing, try this command to find any non-ASCII characters in the compiled policy located on the gateway, it will highlight the offending characters if there are any:

file $FWDIR/state/local/FW1/* | grep "ASCII text" | cut -d: -f1 | xargs grep --color='auto' -P -n "[\x80-\xFF]"

Also have you seen this SK: sk103511: "Failed to Load Security Policy: Bad address" error on policy installation failure

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Manoj_Kumar3
Participant
‎2018-08-07 02:53 AM
In response to Timothy_Hall

Jump to solution

I tried to run "file $FWDIR/state/local/FW1/* | grep "ASCII text" | cut -d: -f1 | xargs grep --color='auto' -P -n "[\x80-\xFF]" this script on problematic gateway but no output.

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-08-07 06:19 AM
In response to Manoj_Kumar3

Jump to solution

All that means is that you don't have any non-ASCII characters in your compiled policy which can be one of the many causes of this issue. TAC will need to run a debug of the policy installation on the gateway to determine what problematic element of the compiled policy is aborting the load into the kernel.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Ivan_Moore
Contributor
‎2018-07-25 04:12 PM

Jump to solution

We had this problem plague us after upgrading our MGMT to 80.10.  Came to find out it was the strings dictionary table filling up.  For us at least that was the issue.  I think that somehow things got horked up with the upgrade and the entries were no longer lining up.  I would check that and see if it is your problem.  

fw -i 0 tab -t string_dictionary_table -s

fw -i 0 tab -t string_dictionary_table | grep limit

Manoj_Kumar3
Participant
‎2018-08-06 10:58 PM
In response to Ivan_Moore

Jump to solution

[Expert@Hostname:0]# fw -i 0 tab -t string_dictionary_table -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost string_dictionary_table 8135 64191 64191 64191
[Expert@Hostname:0]# fw -i 0 tab -t string_dictionary_table | grep limit
dynamic, id 8135, attributes: keep level 2, expires never, , hashsize 128, limit 65536

Looks like limit is 65536 and current & peak value are 64191. Can you put some light based upon output.

0 Kudos