Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kristian_Nyquis
Contributor
Jump to solution

Problem to install policy

Hi

I am trying to install a policy on my 1430/1450 GW with Smart Console. When i try to install the policy for gateway VPNbox1 I get the following error message:

Gateway: VPNbox1
Policy: Policy_VPNBox1
Status: Failed
    - Compatibility package is not properly installed or configured.
--------------------------------------------------------------------------------

The Gateways are according to the picture bellow:

On my 1430/1450 unit I get an error when I try to fetch the policy.

Is it possible that theses two errors is related?

I have created a policy so the DCP traffic allowed in the gw-833ff3.

In the fw monitor i get traffic between the eth interfaces on i,I,o and O

gw-833ff3> fw monitor -e "host(XXX.XXX.XXX.XXX), accept;"
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth5:i[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=16128
TCP: 50078 -> 18191 .S.... seq=bb411dba ack=00000000
[vs_0][fw_1] eth5:I[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=16128
TCP: 50078 -> 18191 .S.... seq=bb411dba ack=00000000
[vs_0][fw_1] eth5:o[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=0
TCP: 18191 -> 50078 .S..A. seq=d491f51f ack=bb411dbb
[vs_0][fw_1] eth5:O[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=0

And alot more packages that i are not including

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

They are very much related.

SMB gateways require a different policy compilation process than a regular appliance.

This is provided through means of a compatibility package.

Because the system is not finding the correct compatibility package, no policy can be compiled for the gateway.

When the gateway tries to fetch said policy, it fails because none could be successfully compiled.

What's puzzling to me is why this isn't already installed as it should be by default.

You can verify it is installed by running the command from expert mode: rpm -q CPSFWR77CMP-R80

If this returns "package is not installed" then the package did not get installed. 

While you may be able to mount an installation CD/ISO, find the RPM, and install it using rpm -i, I suspect you'd be better off doing a fresh install on your 3000 series appliance.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin

They are very much related.

SMB gateways require a different policy compilation process than a regular appliance.

This is provided through means of a compatibility package.

Because the system is not finding the correct compatibility package, no policy can be compiled for the gateway.

When the gateway tries to fetch said policy, it fails because none could be successfully compiled.

What's puzzling to me is why this isn't already installed as it should be by default.

You can verify it is installed by running the command from expert mode: rpm -q CPSFWR77CMP-R80

If this returns "package is not installed" then the package did not get installed. 

While you may be able to mount an installation CD/ISO, find the RPM, and install it using rpm -i, I suspect you'd be better off doing a fresh install on your 3000 series appliance.

Pedro_Espindola
Advisor

Agreed! Something isn't right with your SMS. I never needed to install anything else for R80.10 to work with the 1400 appliances. Are you running the latest version R77.20.70 on them?

0 Kudos
Kristian_Nyquis
Contributor

I did not have CPSFWR77CMP-R80 installed on my system. After installed this on my server it is working as expected.

Tomer_Sole
Mentor
Mentor

Please make sure that you have a Check Point Support Request for it. We would like to have our future versions more clear when policy installations fail, and I agree with you that this message isn't very clear.

G_W_Albrecht
Legend
Legend

One of our customers just had the same issue today - after inline CPUSE upgrade of SMS from R77.30 to R80.20 (including R80 Upgrade Verification and Environment Simulation), policy install on SMB devices show the error: compatibility package is not properly installed. Strange that this rpm is not installed...

And the real bad thing is that this error is only found in sk37720 and this sk speaks of SPLAT only, but not of CPSFRW77CMP-R80.(20 ) .

CCSE CCTE CCSM SMB Specialist
0 Kudos
Ryan_Ryan
Advisor

Same issue 

upgraded manager to R80.20 H47 from r77.30 uing installer upgrade command t101 package

 

Push policy to R77.20.75 1400 gateway error: Compatibility package is not properly installed or configured

 

ON manager: 

cd /sysimg/CPwrapper/linux/CPsfwr77cmp

rpm -ivh  CPSFWR77CMP-R80.20-00.i386.rpm

cpstop;cpstart

 

policy push succeeds

0 Kudos
Lars_S_
Contributor

Hi,

 

I cannot deploy new policies on our series 1400 too.

We updated our manager server to the latest 80.10 Hotfix (take 249).

Now I get the error on all my 1400 checkpoints:
cannot access /opt/CPSFWR77CMP-R80//CONF/lsm_cluster_subnet_override.xml: no such file or directory

I don't know why there are 2 // in the path.

The folder /opt/CPSFWR77CMP-R80/ is present on our management server but not on 1400 devices.

Also /opt/CPSFWR77CMP-R80/conf is there (for sure with one /) but the file lsm_cluster_subnet_override.xml is missing.

 

So I tried to install the RPM package and I have the folder /sysimg/CPwrapper/linux/CPsfwr77cmp on my management, but the folder is empty.

What now?

Regards

 

0 Kudos
PhoneBoy
Admin
Admin
Beat to engage with TAC on this issue.
0 Kudos
Lars_S_
Contributor

Hi,

I managed it on my own with the help of @Ryan_Ryan post.

I am using R80.10 installation so I needed the package CPSFWR77CMP-R80.00.i386.rpm

I downloaded the iso file and mounted it on my management server.
Trying to install the file like with rpm -ivh  CPSFWR77CMP-R80.00-00.i386.rpm I got "already installed".
So I forced the installation
rpm -ivh  CPSFWR77CMP-R80.20-00.i386.rpm --force
The package installed successful and now the policy installation on my 1400 checkpoints works again.

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events