Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ha
Explorer

Unable to install policy after gateway upgrade to R81.10

Hello,

 

After upgrading one of our firewalls from R80.40 to R81.10 we are unable to  install a policy on the firewall.

We have performed  the upgrade both from Gaia and SmartConsole, but get the same error after the upgrade.

When installing the policy from SmartConsole the task progress stops at step 'Preparing the policy for the upgraded target (5/11)'.

 

History:

  • R80.40 SMS and R80.40 GW, both running om VMware
  • R80.40 DB previously migrated to new, clean installed SMS on R81.10
  • Then GW was successfully upgraded via Gaia CPUSE to R81.10 T335
  • When installing policy to the GW first time it fails with error message  (see output from cpm.elg)
  • The GW VM was rolled back and a new upgrade was done via SmartConsole GUI using Actions > Version Upgrade, to R81.10 T355
  • This upgrade fails on task 5/10 with error message:cpp:line 5409: error inside #ifdef block at end of input, depth = 1
    1 error in preprocessor
    Error compiling IPv6 flavor.
  • Then the SMS was upgraded to R81.20 T631, but the policy fails with the same error message

 

We have searched for relevant support articles and some of them related to errors or changing in different .def files. As a noted we have not changed any .def files or other linux files directly on either SMS or GW.

IPv6 is disabled on the gateway.

Any suggestions as to what the cause of this error might be?

 

Thanks!

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Just to clarify, this is failing while doing an upgrade to R81.10 from SmartConsole on a gateway running R80.40, correct?
Note this exact error is mentioned here: https://support.checkpoint.com/results/sk/sk139174
If you're absolutely certain you haven't modified any .def files, then this Expect command should restore them to defaults: update_inspect_files -f 
If the issue still persists after doing that, I recommend a TAC case: https://help.checkpoint.com 

0 Kudos
ha
Explorer

Thank you both for your replies. I first tried TheRocks's suggestion, but could still not install the policy (same error as before).

Then I tried to run the update_inspect_files command, but got this error message:

[Expert@mgt:0]# update_inspect_files -f

Wrong usage: missing '-index' flag

 

Help text:

update_inspect_files --help

Please run with the following parameters: [-index <HFA_INDEX>] [-list <input file> (list of .def files)] [-path <path to the .def/_HFA.def files> (if different than $FWDIR/lib)] [-f (to force override)] [-mode <upgrade or export>]

To restore changed files run with -restore [-index <HFA index>].

 

Do I need to refer to a specific hotfix in order do restore the .def files?

 

0 Kudos
PhoneBoy
Admin
Admin

Not sure.
Best to engage the TAC here.

0 Kudos
the_rock
Legend
Legend

I dont think that would be related to specific jumbo, honestly. As the guys said, TAC is your best bet at this point to solve this faster. Clearly, there is syntax missing somewhere, which is whats preventing policy push.

0 Kudos
ha
Explorer

Thank you all for your suggestions. We will open a TAC case.

0 Kudos
the_rock
Legend
Legend

In the spirit of the community, please do share how it gets fixed, as that always helps other folks.

Cheers mate.

0 Kudos
ha
Explorer

Yes, I will do that. I have a remote session with TAC scheduled this week.

 

 

0 Kudos
Olavi_Lentso
Contributor

What was the solution to the problem?

0 Kudos
ha
Explorer

There was a syntax error in the file: /opt/CPsuite-R81.20/fw1/lib/user_early.def
After adding #endif at the end of the file, we could successfully push the policy again. 

0 Kudos
the_rock
Legend
Legend

Here is what you need to do to fix this problem. IF mgmt is on R81.10 and gateway on R80.40, do below on your management server and Im fairly confident it will work.

# cd $FWDIR/conf
# cp user.def.FW1 user.def.R8040CMP
 
Thats it. Then push the policy.
 
Make sure to backup all those files first.
0 Kudos
_Val_
Admin
Admin

Please open a TAC case: https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events