cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
ED
Silver

Connection with 'xxxxx' is lost

Hi,

 

This is the situation:

image.png

 

When i hover over the x sign it says 'Connection with xxxx is lost'. I can do the following:

-open up all the gateway object properties

-install policy

-SIC is communicating on the GW's objects

-SIC on SMS is greyed out

image.png

 

What i did was to poweroff the SMS to take a snapshot with VMware. After bootup I got these red x signs. Any ideas what could have happened?

0 Kudos
13 Replies

Re: Connection with 'xxxxx' is lost

Hi Ed,

I do occasionally notice similar strange 'behaviour' on SmartConsole myself. Sometimes it takes a while before SmartConsole updates the information correctly. 

Below are some of the things I would do in an attempt to cause SmartConsole to display the correct status of the gateways:

1) With a gateway/cluster selected, click on the Monitor option at the top and refresh the page a few times.

2) Toggle the "status" column off and toggle it back on.

3) Initiate some traffic from the gateways to the manager in the form of pings or fetching policy.

4) Reset SIC.

I hope this helps.

ED
Silver

Re: Connection with 'xxxxx' is lost

Hi @Nick_Doropoulos 

I have tried what you suggested except resetting SIC. Still the same problem. Before I try resetting SIC to the security gateways, shouldn't the status of SMS be marked as green? I find it strange that everything seems to work fine except the status column in the SmartConsole. There is not so much help to find on usercenter either. 

Re: Connection with 'xxxxx' is lost

Hi Ed, 

Another thing worth trying is to use another version of SmartConsole. That has fixed similar issues for me in the past. 

Give that a go too if you can and let us know of the result. 

ED
Silver

Re: Connection with 'xxxxx' is lost

@Nick_Doropoulos 

I am trying with these two different versions of SmartConsole:

image.png

 

Should I try to uninstall one of these on the management server?

image.png

Re: Connection with 'xxxxx' is lost

Hi Ed,

Build 122 is the latest one I believe so we can rule this out as well.

I would do the following as well if I were you:

1) Double-click on of the gateways, navigate to Network Management and select the "get interfaces without topology" option. This option will get all interfaces without changing your existing topology. This might just be what you need for the SMS to 'see' there are no issues with its connection to the gateway.

2) In expert mode, try cpstop ; cpstart in case there is a daemon responsible for this false status and needs restarting. Providing you use PSK-based VPNs and not certificate-based ones, there shouldn't be any service disruption to your environment.

3) If neither of the above works, try a failover of one of your clusters to see if that does it.

Once again, resetting SIC is another troubleshooting step worth doing I believe.

Let us know of the results.

Re: Connection with 'xxxxx' is lost

Try clearing the monitoring database as specified in this SK:

sk112058: Gateways & Servers view in R80 SmartConsole does not show statuses

This procedure seems to be the R80+ equivalent of clearing the SmartConsole cache files CPMILinksMgr.db* and applications.C* for the R7* SmartView Monitor when it displays incorrect status information about gateways as documented here:

sk100507: SmartConsole problems with Security Management Server / Multi-Domain Security Management S...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
ED
Silver

Re: Connection with 'xxxxx' is lost

@Timothy_Hall 

I tried to run the script but the status is still red x and the hit counts wasn't cleared either. 

ED
Silver

Re: Connection with 'xxxxx' is lost

Can someone from CheckPoint tell me what check is being processed in the background to determine the Status of an object in SmartConsole? 

Re: Connection with 'xxxxx' is lost

On the gateway, the cpd daemon is the one responding to the status query on TCP port 18192 (CPD_amon). This traffic is allowed by an implied rule on the gateway so it shouldn't be blocked.   If the cpd daemon dies or is impaired on a gateway it won't report a status at all; the log file for this daemon is located in $CPDIR/log/cpd.elg.   In the R77.30 and earlier SmartView Monitor I'm pretty sure the SmartConsole GUI system would initiate the CPD_amon connection directly to the gateway itself to pull status.  Not sure if this is still the case in the R80+ SmartConsole, the SMS may well be the one maintaining this connection, I would assume via the corresponding cpd daemon on the SMS although it could be the cpstat_monitor (CPSM) process, not sure.  Might be worth checking out log file $FWDIR/log/cpstat_monitor.elg as well.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
ED
Silver

Re: Connection with 'xxxxx' is lost

Hi @Timothy_Hall 

I ran the command: netstat -an | grep 18192 on the SG.

This shows that the connection between security gateway and SMS is established. 

image.png

How can it then say that the connection is lost in SmartConsole?

Re: Connection with 'xxxxx' is lost

OK so that confirms that the SMS is maintaining that monitoring connection but the status simply isn't getting reported to your SmartConsole GUI for some reason.  Try this:

1) Anything interesting in $FWDIR/log/cpstat_monitor.elg?

2) Open the SmartView Monitor.  To do this from SmartConsole: Logs & Monitor tab...New tab (+)...Tunnel & User Monitoring (lower left corner).  Does the Smartview Monitor report the same status for those gateways as the SmartConsole?

3) As a last resort, kill the cpstat_monitor daemon and let it restart.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
ED
Silver

Re: Connection with 'xxxxx' is lost

@Timothy_Hall 

The cpstat_monitor.elg file is empty. SmartView Monitor shows status as disconnected.

I ran these commands:

cpwd_admin stop -name CPSM

cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"

 

No change. 

Re: Connection with 'xxxxx' is lost

Sounds like it is time for some debugging of the problem with TAC.  Can take a shot yourself if you want, these are probably the daemons you should look at:

sk108177: How to debug the "cpstat_monitor" daemon

sk86320: How to debug the CPD daemon

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos