cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Problem to install policy

Jump to solution

Hi

I am trying to install a policy on my 1430/1450 GW with Smart Console. When i try to install the policy for gateway VPNbox1 I get the following error message:

Gateway: VPNbox1
Policy: Policy_VPNBox1
Status: Failed
    - Compatibility package is not properly installed or configured.
--------------------------------------------------------------------------------

The Gateways are according to the picture bellow:

On my 1430/1450 unit I get an error when I try to fetch the policy.

Is it possible that theses two errors is related?

I have created a policy so the DCP traffic allowed in the gw-833ff3.

In the fw monitor i get traffic between the eth interfaces on i,I,o and O

gw-833ff3> fw monitor -e "host(XXX.XXX.XXX.XXX), accept;"
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth5:i[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=16128
TCP: 50078 -> 18191 .S.... seq=bb411dba ack=00000000
[vs_0][fw_1] eth5:I[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=16128
TCP: 50078 -> 18191 .S.... seq=bb411dba ack=00000000
[vs_0][fw_1] eth5:o[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=0
TCP: 18191 -> 50078 .S..A. seq=d491f51f ack=bb411dbb
[vs_0][fw_1] eth5:O[60]: XXX.XXX.XXX.XXX -> XXX.XXX.XXX.XXX (TCP) len=60 id=0

And alot more packages that i are not including

1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Re: Problem to install policy

Jump to solution

They are very much related.

SMB gateways require a different policy compilation process than a regular appliance.

This is provided through means of a compatibility package.

Because the system is not finding the correct compatibility package, no policy can be compiled for the gateway.

When the gateway tries to fetch said policy, it fails because none could be successfully compiled.

What's puzzling to me is why this isn't already installed as it should be by default.

You can verify it is installed by running the command from expert mode: rpm -q CPSFWR77CMP-R80

If this returns "package is not installed" then the package did not get installed. 

While you may be able to mount an installation CD/ISO, find the RPM, and install it using rpm -i, I suspect you'd be better off doing a fresh install on your 3000 series appliance.

View solution in original post

9 Replies
Highlighted
Admin
Admin

Re: Problem to install policy

Jump to solution

They are very much related.

SMB gateways require a different policy compilation process than a regular appliance.

This is provided through means of a compatibility package.

Because the system is not finding the correct compatibility package, no policy can be compiled for the gateway.

When the gateway tries to fetch said policy, it fails because none could be successfully compiled.

What's puzzling to me is why this isn't already installed as it should be by default.

You can verify it is installed by running the command from expert mode: rpm -q CPSFWR77CMP-R80

If this returns "package is not installed" then the package did not get installed. 

While you may be able to mount an installation CD/ISO, find the RPM, and install it using rpm -i, I suspect you'd be better off doing a fresh install on your 3000 series appliance.

View solution in original post

Highlighted

Re: Problem to install policy

Jump to solution

Agreed! Something isn't right with your SMS. I never needed to install anything else for R80.10 to work with the 1400 appliances. Are you running the latest version R77.20.70 on them?

0 Kudos
Highlighted

Re: Problem to install policy

Jump to solution

I did not have CPSFWR77CMP-R80 installed on my system. After installed this on my server it is working as expected.

Highlighted

Re: Problem to install policy

Jump to solution

Please make sure that you have a Check Point Support Request for it. We would like to have our future versions more clear when policy installations fail, and I agree with you that this message isn't very clear.

Highlighted

Re: Problem to install policy

Jump to solution

One of our customers just had the same issue today - after inline CPUSE upgrade of SMS from R77.30 to R80.20 (including R80 Upgrade Verification and Environment Simulation), policy install on SMB devices show the error: compatibility package is not properly installed. Strange that this rpm is not installed...

And the real bad thing is that this error is only found in sk37720 and this sk speaks of SPLAT only, but not of CPSFRW77CMP-R80.(20 ) .

0 Kudos
Highlighted
Copper

Re: Problem to install policy

Jump to solution

Same issue 

upgraded manager to R80.20 H47 from r77.30 uing installer upgrade command t101 package

 

Push policy to R77.20.75 1400 gateway error: Compatibility package is not properly installed or configured

 

ON manager: 

cd /sysimg/CPwrapper/linux/CPsfwr77cmp

rpm -ivh  CPSFWR77CMP-R80.20-00.i386.rpm

cpstop;cpstart

 

policy push succeeds

0 Kudos
Highlighted
Iron

Re: Problem to install policy

Jump to solution

Hi,

 

I cannot deploy new policies on our series 1400 too.

We updated our manager server to the latest 80.10 Hotfix (take 249).

Now I get the error on all my 1400 checkpoints:
cannot access /opt/CPSFWR77CMP-R80//CONF/lsm_cluster_subnet_override.xml: no such file or directory

I don't know why there are 2 // in the path.

The folder /opt/CPSFWR77CMP-R80/ is present on our management server but not on 1400 devices.

Also /opt/CPSFWR77CMP-R80/conf is there (for sure with one /) but the file lsm_cluster_subnet_override.xml is missing.

 

So I tried to install the RPM package and I have the folder /sysimg/CPwrapper/linux/CPsfwr77cmp on my management, but the folder is empty.

What now?

Regards

 

0 Kudos
Highlighted
Admin
Admin

Re: Problem to install policy

Jump to solution
Beat to engage with TAC on this issue.
0 Kudos
Highlighted
Iron

Re: Problem to install policy

Jump to solution

Hi,

I managed it on my own with the help of @Ryan_Ryan post.

I am using R80.10 installation so I needed the package CPSFWR77CMP-R80.00.i386.rpm

I downloaded the iso file and mounted it on my management server.
Trying to install the file like with rpm -ivh  CPSFWR77CMP-R80.00-00.i386.rpm I got "already installed".
So I forced the installation
rpm -ivh  CPSFWR77CMP-R80.20-00.i386.rpm --force
The package installed successful and now the policy installation on my 1400 checkpoints works again.

Regards

0 Kudos