Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Leader
Leader

R81 take 23, build 004, Threat Prevention Policy - Internal error occurred during the verification

my customer is having following error whilst installing TP:

 

Internal error occurred during the verification process,

policy verification failed

- see enclosed -

*** no changes has been made on TP policies, just take 23 was installed to the R81 gateway running IPS blade ***

 

any idea folks reg. t-shooting? we'd highly appreciate any hints as SK's says nothing yet about that situation nor here I could find any of you having similar.

I'm opened for suggestions ore requests for details.

 

Cheers!

Jerry
0 Kudos
11 Replies
Jerry
Leader
Leader

looks like based on the Support SK's that TAKE 25 is the remedy ... wonder if you experienced anything similar folks.

I'm pushing take 25 RFC with the customer just now.

Jerry
0 Kudos
Jerry
Leader
Leader

did not help, TP verification still failing as it was, no changes. It's sad to see that there seem to be no solution for failing TP policy verification so TP runs old last-good-known-policy which cannot be changed/amended due to the policy verification failures.

putting that in a perspective - Customer is unable to modify anything TP Policy wise as the changes won't be installed. That seem not right to me. What do you think folks (if you read this)?

Jerry
0 Kudos
PhoneBoy
Admin
Admin

It looks like there are several potential causes for this issue.
Probably best to have the TAC assist you here. 

0 Kudos
Jerry
Leader
Leader

so the fire is over, I've managed to find a work around 🙂 that wasn't easy but I did it. Recovering earlier (pre 550 SmartConsole) revision and re-applying changes from the "mean time" made it work and all is like a charm at the moment. Customer happy. And time to take care of some maestro design flaws ... 😛

 

Cheers! but too late Dameon 😛 

Jerry
0 Kudos
Jerry
Leader
Leader

what's left unknown however is why SMS has lost ability to take CPMI via IPv6. I can't figure it out. DA and routes has not changed, nothing reg. IPv4 has changed. Just after the upgrade IPv6 access via GUI Clients ACL does not work for IPv6 Clients. 

That is something I'm going to work on today ... any suggestions (but not please check your routes or IP addresses again!) highly appreciated.

Jerry
0 Kudos
Jerry
Leader
Leader

found it. IPv6 no longer (sms cpmi) supports ::/ prefixes nor ::x IP address.

Thanks R&D for letting us all know 🙂

 

now the IP address on GUI Clients ACL should look as following for example:

aaaa:bbbb:cccc:ddd:0:0:0:1 

 

when you add this to the ACL you can hook up again via CPM/CPMI to the SMS

 

case closed. shame ... we weren't told anywhere within SK's nor Partner threads.

Jerry
Tobias_Moritz
Advisor

Not accepting the short :: syntax in IPv6 addresses is a violation of https://tools.ietf.org/html/rfc5952#section-4

"all implementations MUST accept and be able to handle any legitimate [RFC4291] format"

And https://tools.ietf.org/html/rfc4291#section-2.2 lists this :: format as legitimate in point 2.

So CP R&D should really fix this, otherwise their implemention violates Internet Standards. And thats not a good idea for a firewall vendor.

Jerry
Leader
Leader

Agree. That's what I have realised when setting up GUI ACL to both (short/long) RFC4291.

I wonder if anyone from R&D will read that topic here. .. hope they will and consider that we've fund a bug in R81 recent take!

 

Cheers Tobias

Jerry
0 Kudos
Jerry
Leader
Leader

interesting, after applying TAKE 25 the Management GUI hosts are no longer acceptable by the SMS. Lovely 🙂 well done R&D!

Jerry
the_rock
Authority
Authority

I have R81 in the lab, maybe I can assist you. I believe Im running latest jumbo, but would need to check. Is there any way you can tell us what verification error is when you expand it during the failure? I actually had similar issue when first installed it in the lab and the way I fixed it was I unchecked threat infinity and ONLY enabled ips blade for threat prevention and that worked, but then when I put it back after, all was fine again. Not sure much about threat infinity, though someone from Israel gave us presentation about it, but gentleman mentioned that those settings cant be tweaked yet, so its pretty much whatever you get there.

 

Anyway, just my best suggestion for now, sorry if you already tried that.

0 Kudos
Jerry
Leader
Leader

no worries Mr. Dwayne Johnson 🙂

all good. I've got many R81 instances, all-in-one plus distributed, I could handle and I did it myself . Panic is over.

IT was about the revisions which corrupted sub-db within the posture. I have had errors in install_policy.elg

I've managed to narrow what's wrong based on the output and find out that best way would be to step back 3 days and make the revision reversal. I did id and Customer was able to mod the IPS policy. All good but thanks for suggestions. Infinity is a different league though so I wouldn't compare this to that new stuff, nevertheless keep'm going.

 

Cheers!

Jerry
0 Kudos