- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: 1430 random crash with SecureXL enabled
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1430 random crash with SecureXL enabled
Hello, good evening.
I have been detecting random appliance crashes for some time. If I disable securexl acceleration (fwaccel off command) the appliance is completely stable, but with securexl, it randomly crashes.
<1>[ 3771.640614] Unable to handle kernel NULL pointer dereference at virtual address 00000004
<1>[ 3771.648687] pgd = 80003000
<4>[ 94.038442] ######## wdt sysfs stop cmd
<1>[ 3771.651387] [00000004] *pgd=80000000004003, *pmd=00000000
<0>[ 3771.655305] Internal error: Oops: 207 [#1] SMP ARM
I have version R77.20.87 (990173083)
I hope you can help me.... I would be sad to have to change this appliance on my homelab 😞 Attached the last panic. Thank you and best regards
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do those come up right before it crashes?
If so, you might try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This can be used to SecureXL for the specific port in question (versus disabling entirely).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish I could give you a good suggestion, but reading some forums online about similar errors, seems like it could be something with one of the drivers on the appliance itself. Did issue ever happen before version 87?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andy.
This is happening since i have this appliance, months ago. I dont remember the starting version
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If disabling SecureXL solves an issue, a TAC case is definitely in order.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PhoneBoy
TAC case is not an option... Im using this appliance in my house because is a gift from a trainning that i received. I think license is expired.
I hope an engineer can check these logs and give me some more information.... If not, I'm afraid I'll have to replace my beloved Checkpoint with some other solution 😞
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will do my best to help you. Let me do some more research and see what we can try.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out below:
By the way, what happens if the box is rebooted with sxl enabled? Same problem?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you intend with providing that link to watchdog reset ? SMBs have no /dev/watchdog 😎
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andy. Yes, appliance restart randomly with securexl enabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take backup, reset the appliance and see if it is doing it with default settings as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try, but the problem i think is something in the kernel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you gain enough evidence it is not device but firmware related issue then I think CheckPoint R&D will likely take a look at it even without support contract. But I second current firmware is very stable so it is very likely to be corruption somewhere on the device itself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should clearly see what blades are expired in WebGUI. So currently you are using only the FW part of the SMB? Without IPS, AV, ABOT and URLF it maybe beloved but is crippled to the bone ! You could replace it with a Raspi and linux sw FW, not loosing any functionality. Why not extend the license and buy support for it ? Then you also could use NGTP services (which do not work with expired services) and get help from TAC - an engineer can check these logs and give you a fixed firmware.
But first attempt would be a reinstall from USB, flashing both backup and active firmware - current R77.20.87 version is very stable according to my experience.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Yes, the other option is change to pfSense or openwrt. The problem is i will lose 6+1 lan ports hehe.
License is expensive, this is a homelab, not an enterprise.
Meanwhile im looking for alternatives
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As i said before - if you are only using the FW blade, this is not worth the $377 (or so) for a years license, but if you protect your complete home (including wife and kids devices), IPS, AV, ABOT and URLF make much sense and are well worth the price.
But first attempt to resolve it would be a reinstall from USB, flashing both backup and active firmware, as current R77.20.87 version is very stable according to my experience. Maybe a bad block on flash does play you these tricks, and that will be over after flashing it, as formatting reallocated any bad blocks...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All valid points...but, I really think the best way for him to know 100% if its blade related or not is slowly try remove blade by blade and observe the behavior. We all know those 1000 series appliances are not nearly as powerful having multiple blades enabled as some higher models...or, as you suggested before, do factory reset and see what happens.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, i would suggest the same - but if the license is expired, he will have only the FW, IA, Advanced Networking and VPN blade left, and the blades disabling procedure is done with service blades 😎.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, if he is lucky enough, maybe someone from R&D will see this thread and decide to investigate more. Though, in my personal experience, CP is known literally not to put any effort into officially unsupported or non-licensed versions/devices. Thats very unfortunate, because Cisco TAC for example spend few times with me on the phone couple of hours at least helping with non supported versions. But, thats for another thread : )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Non supported versions do not hinder support from CP TAC - only if you have bought no license and support. If you get a Cisco device as a gift, without license or support, i can not imagine Cisco TAC will spend hours on the phone with you 😎. There have been firmware version for 7xx/14xx that rebooted autonomously some times every week, but i did not see that for the used version. So i rather would suggest to flash from USB.
But if it is true that no SecureXL makes it stable, you could switch it off using userScript.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I once spent 6 hours on phone with Cisco TAC for device that did NOT have support or license and guy literally did not want to get off the phone till we fixed the issue...I never ever heard example of something like that with CP TAC, but anyway :). Back to the subject...lets see if Kiko is willing to factory reset or try remove certain blades and let us know if the issue is still there.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find this comment unfair. No support means just that - no support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I second that - that payed nerd spending 6 hours on phone for free assumingly does not work for this company anymore if he repeated that. Afaik, there is no such thing as a free lunch and never was 😎.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wasnt free lunch CP thing? lol. Anyway, I get your point, but I look at it from totally different angle. Sometimes, making sn exception can actually have great benefits.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes - and it was your great benefit, i guess 😎 Making many exceptions will shorten your revenue and also give your paying customer a feeling of being treated unfair - why should they pay and others get it for free? I am working as a CCSP and often do exceptions - but only for our existing customers, not for people who get an old box for free and are not able or willing to pay anything.
But i will not discuss that any longer - i am more used to an professional angle as i get my income from giving support...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, lets not argue about it...waste of time anyway : ). Better putting an effort into technical stuff!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I came here to the forum since, without a support license, I imagined that a TAC would be impossible.
Of course the last thing I want is to start a fight. I am just looking to see if a solution is possible, if not, then I will look for alternatives.
Starting by requesting the GPL source codes used 🙂 maybe try to port openwrt? install Linux? i dont know!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a licensing point of view, FW + VPN don’t generally expire.
You can put an All-in-One eval on the appliance to allow the other blades to work (assuming the problem is there).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not believe that a switched-off blade without license will do anything bad, but who really knows!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im trying to install the last version, but i get the following error:
System Started...
/sys/devices/soc.0/fd840000.pcie-external2/pci0001:00/0001:00:00.0/0001:01:00.0/usb1/1-1/1-1:1.0/host0/target0:0:0/0:0:0:0/block/sda/sda1
The version of the image on the USB/SD is the same as the installed image. Not installing image
Maybe i should perform a rollback and then try to update?
Edit: done, performed a factory reset, and then flash from USB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how long does it normally take for the issue to occur when securexl is enabled?
Andy