cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

problem with daip in 1100 when doing fetch policy

Jump to solution

there is some problem to do fetch policy in 1100 with daip
mgmt R80.10 take 91

1100 R77.20.75

ISP Telmex ADSL
Router Mode standar
dynamically assigned IP address
------------------------------------WAN--------------LAN---------------------WAN(dhcp)-------LAN
INTERNET----------daip-------------Router ISP----------192.168.1.64--------------1180--------

SIC Connected

Security Management Server Status Connected

but DO NOT receive policies or install policies

Shell

"Management rejected fetch for this module - version matching problem.
Security Policy Fetch Failed.
Unable to fetch the Security Policy from the Management Server"

thanks!

1 Solution

Accepted Solutions

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

i had the same problem....

which hotfixe you have installed on your managementserver?

i fix this as follow...

i uninstalled the hotfixe on our managementserver Gaia R80.10 take 85.

after that it works...

don´t forget to make first a snapshot

21 Replies

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

looks like a general bug since i have the same issue on DAIP 1100 and DAIP 1430s, it started recently.

there is an SK but i dont have access to it : Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ... 

maybe https://community.checkpoint.com/people/g.alba066e051-da82-3e7a-84e6-2bcbff226984‌ or https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌ can help on this.

Regards 

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

The sk115874 is not available for us. As the issue started only recently, it can either be the effect of a firmware upgrade (e.g. R77.20.52 --> R77.20.75) or of changes to the central management.

Most common reason for this issue was that the SMS is NATed behind the Main GW - see e.g. sk66381 and sk90361. Another issue was with low disk space when using self-configured IPS profiles. But i would look into sk90361 and sk105217 first!

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

thanks for the quick reply

i do believe it started with take79

Stabilization improvement of fwm, fw_loader and dbedit Security Management processes. 

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

You mean R80.10 Jumbo T 79 ? I do not really believe that as i only experienced such an issue after firmware upgrade. I suggest consulting the sks.

0 Kudos
Highlighted

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

none of them apply.

this firewalls haven't been updated, just the management.

it happens for older firewalls with DAIP and new install firewall with DAIP, they all get the same error.

[Expert@name]# fw fetch ***.***.***.***
Fetching Security Policy from ***.***.***.***

Management rejected fetch for this module - version matching problem.
Security Policy Fetch Failed.
Unable to fetch the Security Policy from the Management Server

on the masters file the IP is also set but still nothing.

tried to replace the fw_loader and still the same issue.

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

 for older 1100 with DAIP  try to set the external size of the MTU to 1300 and get the policy. To do this, go to the WEBUI and edit the Internet connection.
It seems that this change is working.

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Why not involve TAC here ? Seems to me to be the only helpfull thing to do now...

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

i had the same problem....

which hotfixe you have installed on your managementserver?

i fix this as follow...

i uninstalled the hotfixe on our managementserver Gaia R80.10 take 85.

after that it works...

don´t forget to make first a snapshot

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

thanks!! Works

I have take 91 and I have uninstalled it. Then restart the sic.
and it worked.
I think something in the take xx should be the problem

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution
Hello guys,  I have solved by changing the version on the gateway object from R77.20 to R75.20, installed the policies via SmartConsole. Changed the version from R75.20 to R77.20 again and installed the policies via SmartConsole. At this point the fetch was successful.


Re: problem with daip in 1100 when doing fetch policy

Jump to solution

hi all

managed to solved this problem.

looks like in one of the patches they modified the binary file fw_loader.

checkpoint provided another binary and since then i had no further problems.

Regards 

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Hello, we had the same problem after upgrading from take 56 to take 103. We solved the problem with installing the ongoing take 112 on the management node.

Lars_S_
Iron

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Hi,

we have similar problems here.

Last week we upgraded our management server from 77.x to 80.10 Take 154

Since then we have problems with installing policies on our 1120er Check Points (one cluster R77.20.80 and the other R77.20.75).

Before the upgrade we had absolutely no problems!

We have some branch locations with different internet access.

Business connect with VPN connection

MPLS with at least 10 mbit synchronous internet

MPLS locations has 1120er cluster.

When I am installing a policy the CPU load is on both about 100%.

Normal on that devices and that was also before.

But now the policy won't install.

I get: Gateway: CHP1120
Policy: Policy Name
Status: Failed
    - Installation failed. Reason: IP = "IP address" is not available right now
--------------------------------------------------------------------------------
Checkpoint has heavy load and the website isn't working well.

But the checkpoint is available all the time (ICMP test)

When I am rebooting the machine the policy will be fetched during the reboot.

When I am fetching the policy on the website the checkpoint is rebooting.

Really annoying.

This isn't working:

Policy installation on Centrally Managed 1100 appliance fails with "Installation failed. Reason: IP ... 

Has anyone an advice?

Thanks

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

A shot in the dark - IPS profile ? Optimizing an IPS profile for SMB

Lars_S_
Iron

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Thanks for the quick response but the profile is already set like you suggested.

I would like to try to disable IPS completely but I cannot install the policy... so I cannot deactivate IPS

0 Kudos
Lars_S_
Iron

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Well... it works.

Activated IPS again on every 1120 and it works.

Thank you very much for your optimizing IPS profile post!

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

It is not so much, mostly "leave out what you will never need" first, then go for other criteria to weed them protections out  !

Lars_S_
Iron

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Okay an update ...

Disabled IPS on the cluster and the installation succeeded..

Will try that with the other checkpoints tomorrow...

Maybe the small checkpoints are too slow for IPS now?

Edit: Ok, was curious about that and disabled IPS on the second cluster and voila it's working without any problems now ...

So IPS is a way to heavy for the little ones. Good to know.

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

IPS is not too heavy, but flash-based units do not have so much disk space... So the policy install with a large IPS profile can be too much. It is considered best practice to create a separate IPS profile for Small Office gateways, that does not include IPS protections for traffic that does not pass through those gateways. Deactivating the server protections in this separate profile is a good example for this.

So even if you already have created a SMB IPS profile, you can exclude more protections until policy install works again.

Lars_S_
Iron

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Alright, I will exclude everything what isn't necessary for the locations.

I have a profile just for the SMB and server profile is already disabled.

But I will have look and try again.

Anyway, we are planing to upgrade to a little bit bigger one.

EOL of 1120 is 2022 but it seems check point won't release any more firmware updates for 1120.

Release 77.20.81 isn't supported for 1120...

0 Kudos

Re: problem with daip in 1100 when doing fetch policy

Jump to solution

Yes, R77.20.80 is the last official GA firmware. So up to End of Engineering Support in June 2020 there will be firmware fixes available if needed from TAC.

0 Kudos