This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Orlich
Explorer
‎2017-10-19 01:22 AM

Migrate Export Fails (R77.30 OpenServer)

Hello,

In my test environment I wanted to test migrate tools, but I failed to execute migrate export on my primary Management server. I had no issues with to execute the migrate export on standby management server.

Topology:

* Security GW cluster - Gaia R77.30, with the latest jumbo hotfix take 286.

* Security Management Server in HA, both 77.30 with the latest jumbo hotfix 286.

I tried with latest migration tools, I extracted them in original folder and to my admin home folder as well. Destination path for file is /var/tmp/db-export.tgz

[Expert@CP-MGMT:0]# ./migrate export /var/tmp/db-export.tgz


You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y


Copying required files...
Execution finished with errors. See log file '/opt/CPshrd-R77/log/migrate-Thu_Oct_19_10-12-45_2017.log' for further details
[Expert@CP-MGMT:0]#

I found following SK for issues with migrate tools, but It didn't help me.

"Execution finished with errors" message on migrate import / export command failure 

From log file, these are errors. The full log is in the attachment.

[Expert@CP-MGMT:0]# cat /opt/CPshrd-R77/log/migrate-Thu_Oct_19_10-12-45_2017.log | egrep 'WRN|ERR'
[19 Oct 10:12:45] [ReadFwsetFile] ERR: ReadFwsetFile: Failed to open file: No such file or directory
[19 Oct 10:12:45] [SystemInfoGatherer::ReadRegistry] WRN: Failed to get key value
[19 Oct 10:12:45] [SystemInfoGatherer::ReadRegistry] WRN: Failed to get key value
[19 Oct 10:12:45] [LegacyConfigCreator::WriteExportedVersionKey] WRN: Cannot map source's current version to legacy version
[19 Oct 10:12:49] [ReadFwsetFile] ERR: ReadFwsetFile: Failed to open file: No such file or directory
[19 Oct 10:13:19] [FilesCopierImplByFwSet::CopyFiles] WRN: Found attribute 'from' in file set specification which doesn't contain expandable part: '$UAGDIR/database', skipping file set processing
[19 Oct 10:13:19] [FilesCopierImplByFwSet::CopyFiles] WRN: Found attribute 'from' in file set specification which doesn't contain expandable part: '$UAGDIR/conf', skipping file set processing
[19 Oct 10:13:19] [FilesCopierImplByFwSet::CopyFiles] WRN: Found attribute 'from' in file set specification which doesn't contain expandable part: '$SECUREXLDIR/boot/modules', skipping file set processing
[19 Oct 10:13:23] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed
[19 Oct 10:13:23] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[19 Oct 10:13:23] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed
[19 Oct 10:13:23] [DirCleaner::exec] WRN: Failed to remove the directory
[Expert@CP-MGMT:0]#

I tried also to change the link for tmp file and there is no issue with space on Log volume. I also increased size of lob volume.

Root partition runs out of space while running 'upgrade_export' / 'migrate export&apo... 

LVM overview
============
                  Size(GB)   Used(GB)   Configurable    Description
    lv_current    15         7          yes             Check Point OS and products
    lv_log        41         3          yes             Logs volume
    upgrade       17         N/A        no              Reserved for version upgrade
    swap          2          N/A        no              Swap volume size
    free          4          N/A        no              Unused space
    -------       ----
    total         79         N/A        no              Total size

I'd like to ask you if anybody experienced same issue, or could help me to resolve it. If it would be customer environment I would ask support, but it is lab environment.

Thank you for reply.

BR Martin

migrate-Thu_Oct_19_09-33-08_2017.log.zip
0 Kudos
6 Replies
Danny
Champion Champion
Champion
‎2017-10-19 04:14 AM

I looks like your partitions are too small which is why there is so little space left on them. Try to recreate your lab with a bigger harddrive as /var/tmp is hosted on your root partition while /var/log is a dedicated log partition.

Martin_Orlich
Explorer
‎2017-10-19 07:40 AM
In response to Danny

Hi Danny,
Thank you for the comment. I've added additional 20GB to root partition, unfortunately it didn't help. 

LVM overview
============
                  Size(GB)   Used(GB)   Configurable    Description
    lv_current    26         7          yes             Check Point OS and products
    lv_log        41         3          yes             Logs volume
    upgrade       29         N/A        no              Reserved for version upgrade
    swap          2          N/A        no              Swap volume size
    free          1          N/A        no              Unused space
    -------       ----
    total         99         N/A        no              Total size

I am still not able to get output of migrate export. In log file the errors and warnings are still the same.
It is interesting as from standby mgmt node, where I had same amount of HDD space and same size of partitions as on primary (before change of the lv_current) I am able to run the migrate export. Databases are synchronized, so If I understood correctly all the data from DBs should be on standby mgmt. server as well. Anyway it is very simple setup (few objects and like 10 rules) just for my testing.

If you have another idea, please let me know.

Thank you.

BR Martin

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-10-19 08:28 AM

Clean up your old database revisions in SmartDashboard, this will help significantly reduce the size of the export file and hopefully make it fit.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Martin_Orlich
Explorer
‎2017-10-20 01:22 AM
In response to Timothy_Hall

Hi Tim,

There are no saved DB revisions. I removed all unnecessary hidden and testing rules. Nothing helped.

Basically according log file, migrate script called ConditionalExecutor, which fails. However I could not find any info.

[19 Oct  9:37:34] [ActivitiesManager::exec] Executing activity 'ConditionalExecutor'
[19 Oct  9:37:34] --> ConditionalExecutor::exec
[19 Oct  9:37:34] [ConditionalExecutor::exec] Executing condition for activity 'AddUepmInfoInSrc'
[19 Oct  9:37:34] .--> CondUepmActive::IsConditionHolds
[19 Oct  9:37:34] [CondUepmActive::IsConditionHolds] Current version of uepm is: R77
[19 Oct  9:37:34] .<-- CondUepmActive::IsConditionHolds
[19 Oct  9:37:34] [ConditionalExecutor::exec] Condition holds, executing activity
[19 Oct  9:37:35] .--> AddUepmInfo::exec
[19 Oct  9:37:35] ..--> AddUepmInfoInSrc::GetMachineInfoSet
[19 Oct  9:37:35] ...--> MigrateConfig::Instance
[19 Oct  9:37:35] ...<-- MigrateConfig::Instance
[19 Oct  9:37:35] ...--> MigrateConfig::GetConfigSet
[19 Oct  9:37:35] ...<-- MigrateConfig::GetConfigSet
[19 Oct  9:37:35] ..<-- AddUepmInfoInSrc::GetMachineInfoSet
[19 Oct  9:37:35] Could not retrieve server version
[19 Oct  9:37:35] .<-- AddUepmInfo::exec
[19 Oct  9:37:35] <-- ConditionalExecutor::exec
[19 Oct  9:37:35] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed
[19 Oct  9:37:35] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[19 Oct  9:37:35] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed
[19 Oct  9:37:35] [ActivitiesManager::exec] Designated exit code is 1

if you have any other idea, please let me know.
Thank you
BR Martin
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-10-20 02:13 PM
In response to Martin_Orlich

Based on your logfile, the migrate export appears to be barfing while handling the Endpoint Policy Management (uepm) piece of your config.  Are you actually using Endpoint Policy Management on this SMS?  Try the following:

1) If not using Endpoint Policy Management, uncheck it on your SMS object in the SmartDashboard.  Perform an "Install Database" operation and try the migrate again.

2) If that doesn't work, try this:

./migrate export --exclude-uepm-postgres-db <migrate export output file name>

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Martin_Orlich
Explorer
‎2017-10-23 03:07 AM
In response to Timothy_Hall

Hi Tim,

Before I deployed secondary SMS, I have enabled EndPoint server. I moved it dedicated server and disabled Endpoint Mgmt and install DB.

Initially with secondary SMS, there was issue with DB Sync between SMS servers, because of Product mismatch. I fixed it by by modification of scheme.c file as described:

Synchronization fails when SmartCenter servers contain different Check Point products 

The Command:

./migrate export --exclude-uepm-postgres-db <migrate export output file name>

It is not working.

It seems that EndPoint is still running, and it is starting after reboot.

[Expert@CP-MGMT:0]# cpwd_admin list

APP        PID    STAT  #START  START_TIME             MON  COMMAND

CPVIEWD    3608   E     1       [11:38:20] 23/10/2017  N    cpviewd

CPD        3611   E     1       [11:38:20] 23/10/2017  Y    cpd

FWD        3734   E     1       [11:38:43] 23/10/2017  N    fwd -n

FWM        3736   E     1       [11:38:43] 23/10/2017  N    fwm

STPR       3739   E     1       [11:38:44] 23/10/2017  N    status_proxy

SVR        3942   E     1       [11:38:59] 23/10/2017  N    SVRServer

CPSEAD     4115   E     1       [11:39:12] 23/10/2017  N    cpsead

CPWMD      4163   E     1       [11:39:19] 23/10/2017  N    cpwmd -D -app SmartPortal

CPHTTPD    4177   E     1       [11:39:20] 23/10/2017  N    cp_http_server -f '/opt/CPportal-R77/portal/conf/cp_httpd_admin.conf'

CP3DLOGD   4194   E     1       [11:39:21] 23/10/2017  N    cp3dlogd

SICTUNNEL  4197   E     1       [11:39:21] 23/10/2017  N    /opt/CPshrd-R77/bin/cptnl -c "/opt/CPuepm-R77/engine/conf/cptnl_srv.conf"

EPM        4199   E     1       [11:39:21] 23/10/2017  N    startEngine

SMARTLOG_SERVER 4353   E     1       [11:39:37] 23/10/2017  N    smartlog_server

DASERVICE  4358   E     1       [11:39:37] 23/10/2017  N    DAService_script

[Expert@CP-MGMT:0]#

I run uepm_stop:

[Expert@CP-MGMT:0]# uepm_stop
UEPM: Stopping product - Endpoint Security Management
UEPM: Stopping Apache Web Server...
UEPM: Apache Web Server was stopped successfully
UEPM: Stopping Endpoint Security Management Server...
UEPM: WARNING - graceful shutdown of Endpoint Security Management Server failed
UEPM: Killing Endpoint Security Management Server process (pid 4290)
UEPM: Endpoint Security Management Server was stopped successfully
UEPM: Log conversion daemon has been stopped
UEPM: SIC Tunnel has been stopped
UEPM stopped
[Expert@CP-MGMT:0]#

I am still not able to run migrate export.

I will try to search how to fix it. Anyway if you have an idea, please let me know.

Thank you for reply.

BR Martin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events