Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
--JayJay--
Participant

get interfaces operation failed

While adding a gateway to a management station the gateway is added , but without interfaces and topology and an error message when establishing trust between management station (SMS) and gateway (GW).

The trust relationship between SMS and GW is showing an error:

"Failed to connect to GW (IP Address: '...').
Please make sure Check Point Services are running on GW, and trust has been established".

But the trust is nevertheless established as this is showing on the General Properties tab of the GW in the SMS / Smart Console (Green tick mark).

And "Test SIC status" button press results in : "SIC Status for GW: Communicating"

And as stated above , in the SMS, the GW is missing interfaces. 

Get interfaces (with or without topology) in the SmartConsole, results in the error:

"get interfaces operation failed for .... (IP of gateway)".

Version R80.10.

Connection to GW is working for both ssh and https.

0 Kudos
8 Replies
Vladimir
Champion
Champion

Try to perform "fw unloadlocal" on the gateway and repeat the "Get Interfaces".

Although the topology extraction should work with SIC in a good state.

Have you perchance changed any of the Global Properties?

Additionally, if this is a remote gateway, such as at one of the branches of the bank or a retail location, please make sure that your SMS is statically NATed and is not simply hiding behind local gateway's external IP.

0 Kudos
--JayJay--
Participant

Did the "fw unloadlocal" and after that another "Get interfaces", but with same result.

"Failed to connect to GW (IP Address: '...').
Please make sure Check Point Services are running on GW, and trust has been established".

The management server is in use for some years  and has similar gateways (indeed remote/branch) added in the past, with  NAT setting "hiding behind local gateway's external IP" ticked on the gateway.

The global properties have not been changed recently but are not default.

 

0 Kudos
--JayJay--
Participant

The management station's gateway has static NAT configured with external IP address on the NAT tab , 

On the same tab/page, in the "install on gateway"-box a dummy gateway is selected.

(The dummy gateway is configured elsewhere in the SMS).

On the same NAT tab/page, the  "Apply for Security gateway control connections" box is ticked.

Would manualy added interfaces (for this GW, in SMS) lead to any drawback?

0 Kudos
PhoneBoy
Admin
Admin

The main reason to "fetch" the interfaces is to reduce the risk of a potential configuration error, especially with respect to Anti-Spoofing.

Otherwise, it's ok to define them manually.

0 Kudos
PhoneBoy
Admin
Admin

Maybe some general troubleshooting of SIC?

How to troubleshoot SIC 

0 Kudos
_Val_
Admin
Admin

Although the commentators above suggested otherwise, SIC and fetching topology are unrelated.

SIC is performed by cpd on TCP, several 18XXX ports, and interfaces are fetched by fwd on a TCP port 256. Make sure fwd is running on the GW and port 256 is not blocked between MGMT and GW.

Jorn_Halsen_Luk
Explorer

Had the same problem. 

Allowing port 256 from SMS to the gateways solved the problem for me.

0 Kudos
Wei_Soon_Heng
Contributor
Contributor

Hi JayJay,

Did you solved the issue? 
I facing same error when try re-establish SIC connection using cp_conf command without restart service.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events