Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.10 Jumbo Hotfix Accumulator - New Ongoing take #61

eranzo
Employee
Employee
0 16 2,952

eranzo_0-1654228583576.jpeg

Hi All,

A new Ongoing Jumbo Hotfix Accumulator take for R81.10 (take 61) was released, and is available for download. Please refer to Jumbo documentation ( R81.10

Please note the following:

  •        Availability:

o   Available to download the via Jumbo documentation ( R81.10

o   Available for download via CPUSE by using package identifier.

o   Can be provided by customer support

 

Content included in this take:

  • NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to  sk179432.
  • List of resolved issue in this take can be found in the Jumbo documentation ( R81.10

 

New: Starting from R80.40, Central Deployment allows you to perform a batch deployment of Hotfixes on your Security Gateways and clusters from SmartConsole!!

For more information, see sk168597.

 

Thanks,

Release Operations Group

16 Comments
Nik_Bloemers
Advisor

The jumbo documentation is incorrect. The menu still shows Take 45 as GA, Take 55 as ongoing (while this has been promoted to GA two days ago) and I don't see the new ongoing take 61 anywhere.

Henrik_Noerr1
Advisor

Please update the release notes - and again update the RSS feed on new releases.

Thanks

RamGuy239
Advisor
Advisor

I installed this on a CPAP-SG3600 HA cluster, and a management server, dedicated log server and dedicated smartevent server all running on VMware ESXi 7.0.

Everything seems fine on both the gateways. But all three of the management installations no longer allowed for SSH login using a password:

No supported authentication methods available (server sent: publickey)

 

When I verified /etc/ssh/sshd_config it shows:
PasswordAuthentication no

It's normal on the gateways:
PasswordAuthentication yes


I suppose this is a bug? As it's not mentioned in the changelog and it's a rather extensive change to make without mentioning it. I would call it rather extensive even if it was mentioned.

Easy to fix by changing it back to PasswordAuthentication yes in /etc/ssh/sshd_config and rebooting using the console. But still.


Best regards,
Thomas Teige

RamGuy239
Advisor
Advisor

It reverts back to PasswordAuthentication no during boot/reboot. So I have to manually edit /etc/ssh/sshd_config after every boot and do a service sshd restart. Rather annoying.

Best regards,
Thomas Teige

Daniel_
Advisor

@RamGuy239 

Don't modify /etc/ssh/sshd_config. Use /etc/ssh/templates/sshd_config.templ instead and generate sshd_config via
/bin/sshd_template_xlate < /config/active

RamGuy239
Advisor
Advisor

@Daniel_ 

Thanks for the suggestion. Funny enough the template is already stating PasswordAuthentication yes so it's being ignored during boot. Doing as you say doesn't seem to work either, not even after manually restarting the service afterwards. I have to manually edit /etc/ssh/sshd_config and restart the service to be able to log back in using SSH without keys.

I'm going to test a fresh R81.10 mgmt in LAB to verify. It's happening on all three of our installations so it seems to be a consistent issue. A rather strange issue to not get catched before making Take 61 available as on-going JHF. Sure on-going has less QA compared to GA JHF but this is such an extensive bug that should be so easy to notice before releasing it as on-going.

Nik_Bloemers
Advisor

Apparently you can just modify the documentation URL to say take 61 to find the release notes, so here they are. Still, not really showing the power of the new release notes format if it's updated worse than the old way.

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/Take_61.htm

the_rock
Legend
Legend

I learned valuable lesson ages ago...to NEVER install ongoing jumbo takes, too much headache to fix issues that come up after reboot. Way better to wait until they become GA.

MatanYanay
Employee
Employee

Hi all

I will split my answer for the 2 topics that were raised:

Regarding the Jumbo documentation – please note if you don’t see in the left panel the updates we formally released please check your browser cache, and clear it, after that you will be able to see the accurate data.

In parallel we are looking into it internally to see if we can adjust anything so this action will not needed in the future, but as I mention until than please just clear the browser cache   

Regarding the PasswordAuthentication issue, I appreciate your feedback and we will look into it.

I would like to say that we constantly invest in improving our JHF’s quality and doing everything in our power to release an ongoing jumbo in the best quality we can after intensive QA  cycle.

While our records and data shows constant improvements in our JHF, we understand there can still be open issues

But again, we are doing everything in our power to fix them and prevent them from happening at first place.

Thanks

Matan.

the_rock
Legend
Legend

@MatanYanay I can certainly appreciate your comment. I will say this though...I always hope that ongoing takes will become defunct and that every new jumbo will be GA, once it was properly tested and proved to be stable. 

Just my opinion.

genisis__
Leader Leader
Leader

There is something strange for sure.  From my home PC I see Take 55 is now GA and Take 61 is ongoing, from my work laptop (connected to the same network) I see Take 55 is still ongoing.

 

So it feels like some content has not been updated somewhere.

RamGuy239
Advisor
Advisor

@MatanYanay 

Thanks for your reply! I would just like to inform you that the issue does not seem to be as widespread as it first seemed. The very same issue struck our management, dedicated log server and dedicated SmartEvent server so it seemed like it was something affecting all management installations.

But upon deploying fresh R81.10 management on VMware ESXi using OVF-files and patching it to R81.10 JHF Take 61 it is not getting affected. I tried spinning up a dedicated log server and SmartEvent server as well and those didn't get affected either.

Difficult to say what is going on here. I tried to revert from snapshot on our management, log server and SmartEvent server and re-apply JHF Take 61 and the same issue with PasswordAuthentication setting itself to No is coming back every time.

Best regards,
Thomas Teige

Scottc98
Collaborator

I am having a similar issue as @RamGuy239  reported in regards to SSH access but slightly different.   I upgrade my lab smart-1 from Take 55 to Take 61 and had no issues with SSH afterwards.    On my lab 3800, i upgrade from take 45 to take 61 and it resulted in the same SSH issues mentioned on this thread.   GUI and console works fine but SSH gives me the same error as @RamGuy239 reported on the publickey return

MatanYanay
Employee
Employee

Hi @RamGuy239  and @Scottc98 

One of our R&D team leaders approach each of you to get more information on the problem you describe above.  

We are taking it very seriously in order to understand the exact issue and how we didn't catch it before we released the take 

appreciate if you can work with him offline so we get to the bottom of the issue and find the RC and provide a fix. 

Thanks 

Matan. 

RamGuy239
Advisor
Advisor

@MatanYanay 

I'm feeding you all the information required. I'm happy to assist to make sure that the software is the best it can be. Doesn't seem like this is very widespread, I even did a migrate_server and tried to see if the same issue occurred when migrating our management server over to a new host on VMware ESXi and even then it doesn't replicate.

Seems like there is something strange with our management installations that somehow triggered a rather rare bug to occur as I'm not able to replicate the behaviour on new installations at all no matter how much data I migrate over to the new installation.


Best regards,
Thomas Teige

MatanYanay
Employee
Employee

Hi All

Small update:

We fixed the Jumbo documentation left panel sync, starting now when new jumbo released you should see the left panel updated immediately.

if you still have issues please contact me offline matany@checkpoint.com

Thanks, 

Matan.

Labels