Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DDPBharat
Explorer

Policy installation failed: TCP connectivity failure port 18191

Hi Team,

I have setup a LAB to learn checkpoint so far it is going well, but now i have stuck with one issue where i have setup as Head Office (CP_HO) Firewall and Branch office (CP-Branch) Firewall. The check point management server is behind the (CP_HO) Firewall when i am trying to push policy package from Management server to CP-Branch firewall i am getting error Policy installation failed: TCP connectivity failure port 18191. Do not know what's issue here request you please guide me.

 

Toplogy and policies screen shot are in the attached.

 

 
0 Kudos
9 Replies
the_rock
Mentor
Mentor

What that means is that SIC (secure internal communication) is breaking on port it communicates with management server, 18191. So, what I would do is when you are pushing the policy, run this command on the gateway (in expert mode) -> fw ctl zdebug + drop | grep 18191 and see what you get. Be free to message me privately and I can help you out.

0 Kudos
DDPBharat
Explorer

Hi the_rock,

 

Thanks for the reply below are logs for the same.

 

[Expert@CP-Branch:0]# fw ctl zdebug + drop | grep 18191
@;3943;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3943;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3943;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3959;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3960;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3960;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3961;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3961;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3965;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3965;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3965;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3965;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3966;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3969;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3970;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3970;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3970;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3975;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3980;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3981;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;3981;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4040;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4041;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4044;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4047;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4048;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4075;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4078;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4080;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4183;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.200.2.1:43396 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4187;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;
@;4192;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 10.200.2.1:10065 -> 10.200.3.1:18191 dropped by fw_handle_old_conn_recovery Reason: old packet rulebase drop;

 

0 Kudos
the_rock
Mentor
Mentor

what IP addresses are 10.200.2.1 and .3.1? Are those firewall and mgmt server? If so, then looks like its definitely something in the rulebase blocking it. Have a look at below:

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

 

 

0 Kudos
DDPBharat
Explorer

Hi the_rock

The 10.200.1.1 and 10.200.1.2 are HO-Firewall WAN-IP adddress and 10.200.3.1 and 10.200.4.1 are Branch firewall WAN IP address.

0 Kudos
the_rock
Mentor
Mentor

I would definitely check out the articles I provided. Otherwise, message me privately and we can do remote. Im in EST time zone.

0 Kudos
kb1
Collaborator

Hi do you think you could help me with that as well? i have a similar issue with 18191 failure and it would be great if you can have a remote session with me as well sometime this week est time.

0 Kudos
the_rock
Mentor
Mentor

sure np

0 Kudos
kb1
Collaborator

How does Thursday 8 pm est sound?

0 Kudos
the_rock
Mentor
Mentor

No worries, just message me privately and we can set it up.

0 Kudos