Re: get interfaces operation failed

--JayJay-- · ‎2018-08-31

While adding a gateway to a management station the gateway is added , but without interfaces and topology and an error message when establishing trust between management station (SMS) and gateway (GW).

The trust relationship between SMS and GW is showing an error:

"Failed to connect to GW (IP Address: '...').
Please make sure Check Point Services are running on GW, and trust has been established".

But the trust is nevertheless established as this is showing on the General Properties tab of the GW in the SMS / Smart Console (Green tick mark).

And "Test SIC status" button press results in : "SIC Status for GW: Communicating"

And as stated above , in the SMS, the GW is missing interfaces.

Get interfaces (with or without topology) in the SmartConsole, results in the error:

"get interfaces operation failed for .... (IP of gateway)".

Version R80.10.

Connection to GW is working for both ssh and https.

Vladimir · ‎2018-08-31

Try to perform "fw unloadlocal" on the gateway and repeat the "Get Interfaces".

Although the topology extraction should work with SIC in a good state.

Have you perchance changed any of the Global Properties?

Additionally, if this is a remote gateway, such as at one of the branches of the bank or a retail location, please make sure that your SMS is statically NATed and is not simply hiding behind local gateway's external IP.

--JayJay-- · ‎2018-08-31

Did the "fw unloadlocal" and after that another "Get interfaces", but with same result.

"Failed to connect to GW (IP Address: '...').
Please make sure Check Point Services are running on GW, and trust has been established".

The management server is in use for some years and has similar gateways (indeed remote/branch) added in the past, with NAT setting "hiding behind local gateway's external IP" ticked on the gateway.

The global properties have not been changed recently but are not default.

--JayJay-- · ‎2018-09-01

The management station's gateway has static NAT configured with external IP address on the NAT tab ,

On the same tab/page, in the "install on gateway"-box a dummy gateway is selected.

(The dummy gateway is configured elsewhere in the SMS).

On the same NAT tab/page, the "Apply for Security gateway control connections" box is ticked.

Would manualy added interfaces (for this GW, in SMS) lead to any drawback?

PhoneBoy · ‎2018-09-01

The main reason to "fetch" the interfaces is to reduce the risk of a potential configuration error, especially with respect to Anti-Spoofing.

Otherwise, it's ok to define them manually.

PhoneBoy · ‎2018-08-31

Maybe some general troubleshooting of SIC?

How to troubleshoot SIC

_Val_ · ‎2018-09-03

Although the commentators above suggested otherwise, SIC and fetching topology are unrelated.

SIC is performed by cpd on TCP, several 18XXX ports, and interfaces are fetched by fwd on a TCP port 256. Make sure fwd is running on the GW and port 256 is not blocked between MGMT and GW.

Jorn_Halsen_Luk · ‎2019-01-07

Had the same problem.

Allowing port 256 from SMS to the gateways solved the problem for me.

Wei_Soon_Heng · ‎2020-08-14

Hi JayJay,

Did you solved the issue?
I facing same error when try re-establish SIC connection using cp_conf command without restart service.

Thanks

clear_ip_bgp · ‎2024-10-27

Hello doing the same and experience the same problem, how did you manage to resolve?

Andrej_Kascak · ‎2024-12-11

hello all,

In my case cpstop;cpstart did the trick.

Are you a member of CheckMates?

get interfaces operation failed