This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stephan_Lache
Participant
‎2022-11-29 01:28 PM

Policy installation stucked at 50%

Dear Checkmates,

i have the following environment and issue:

Existing SMS:R81.10 HFA Take 66

New Gateways 6200 Appliances: R81.10 Take 79

I am already managing one Cluster with this SMS and now i need to mange a second Cluster.

I have configured the new cluster object , and created a new policy package.

Then i try to install the policy and the installation stops at 50% without any error message.

Could this be the case because of the different HFA versions ?

 

Silly question:

Is it normal that the newly created  Gateway and Cluster objects are appearing with error state

in Smart Console and should change to OK only after the policy installation?

 

Any help is appreciated.

Thanks

Stephan

 

Labels
0 Kudos
15 Replies
the_rock
Legend
Legend
‎2022-11-29 02:07 PM

No, its definitely not normal new cluster would have that state. I had done this many times before and never an issue. And no, jumbo take makes no difference. I, at one point, had R81.10 sms on lowest take and cluster on latest available take and it still worked fine. Ok, few things I would confirm before hand, lets begin with basics:

-what is fw stat output when you run it on gateways?

-can you ping mtmt <=> gateways and other way around?

-does SIC work fine?

-what about topology? Can you get interfaces WITH and WITHOUT topology?

Andy

0 Kudos
Stephan_Lache
Participant
‎2022-11-29 02:26 PM
In response to the_rock

Hey Andy,

thanks for your reply.

I will do a " fw stat" first thing in the morning.

The SIC was ok and i was able to get the interfaces with topology.

I did not try it without topology .

So, you mean that the cluster and gateway objects should be in OK status ,even i did not yet install the policy!?

What i have seen is that "cphaprob status" says "HA module not installed"

Then i did a "cphastart" but then each node  thinks it is the active node and as long as the

policy installation ( and with it the cluster configuration) does not work this state is not cleared, i think.

Thanks

Stephan

0 Kudos
the_rock
Legend
Legend
‎2022-11-29 02:36 PM
In response to Stephan_Lache

Ok, so, if you had NOT applied policy yet, they will have - sign most likely, I believe thats by default. See, cphaprob status, you can check it once policy works, BUT...before that, make sure clustering is enabled from cpconfig (look for option 6 or 7 I believe and make sure it says "disable cluster membership...")

Anyway, yea, check tomorrow and message me, we can do quick remote and fix it.

Have a good day!

0 Kudos
Stephan_Lache
Participant
‎2022-11-30 12:08 AM
In response to the_rock

Hey Andy,

very kind of you....i appreciate it!

I will go to the office now, and drop you a message how it goes.

 

Cheers

Stephan

0 Kudos
Stephan_Lache
Participant
‎2022-11-30 03:16 AM
In response to Stephan_Lache

Hey Andy,

 i am still facing the same issue, after a new creation of the cluster object.

When i try to install the policy i can see that 2 installation tasks are running...see screenshot.

There is no progress with the policy installation.

It stops at 50%

Do you have an ideas?

Thanks

Stephan

Preview file
10 KB
Preview file
47 KB
0 Kudos
_Val_
Admin
Admin
‎2022-11-30 03:25 AM

@Stephan_Lache please look into sk170475 and let me know if it helps. 

0 Kudos
Stephan_Lache
Participant
‎2022-11-30 03:36 AM
In response to _Val_

Hi _Val_,

thanks for your reply.

We have enough free disk space .

 

Thanks

Stephan

0 Kudos
the_rock
Legend
Legend
‎2022-11-30 03:39 AM
In response to Stephan_Lache

What time zone are you in? Im in EST (GMT -5), should be free I hope after 10.30 am or so if that works. I can message you directly.

0 Kudos
Stephan_Lache
Participant
‎2022-11-30 03:57 AM
In response to Stephan_Lache

Hi,

now we figured out that during the policy installation process the connectivity

from SMS to the gateways is lost.

It seems to be the issue "policy installation task is stuck in the system" from SK170475

 

Preview file
53 KB
0 Kudos
_Val_
Admin
Admin
‎2022-11-30 05:45 AM
In response to Stephan_Lache

Hey, I suggested SK from the start, did not I? And you said you have enough space 🙂 What is that then?

0 Kudos
Matlu
Advisor
‎2025-07-02 04:38 PM
In response to _Val_

Hello.
Is there any way to "interrupt" the installation of policies, when it gets "stuck" at 50%?
Thanks for your comments.

0 Kudos
Duane_Toler
Advisor
‎2025-07-02 06:08 PM
In response to Matlu

SSH to the management server.  Search the list of processes for the fw loader processes.

ps xaf|grep load

Kill the PID for the processes you find.  It's not the most graceful method, but... it'll get the job done.  After that, you need to fix whatever problem is causing it to fail part way through (management behind NAT? if so, follow sk102712 Procedure 2).

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Duane_Toler
Advisor
‎2022-11-30 08:36 AM
In response to Stephan_Lache

Is your management behind NAT?  You may need to edit $FWDIR/conf/masters on the gateway (or use GUIDBedit to tell the gateway to not overwrite $FWDIR/conf/masters each time, then manually edit the file to instead define the NAT IP of your management).

Check sk10271 and sk146112.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
Legend
Legend
‎2022-11-30 10:17 AM
In response to Duane_Toler

I think you missed a digit in the first article, but yes, I recall those SKs, very valid point actually.

Andy

sk102712

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
_Val_
Admin
Admin
‎2022-11-30 04:28 AM
In response to Stephan_Lache

And you checked it on the GW, correct? Also, is policy actually installed on the GW or not? You can see the installation timestamp via fw stat. 

 

In any case, to fix it, please open a TAC call.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events