Hi Andy.

This is happening since i have this appliance, months ago. I dont remember the starting version

Best regards

Hi PhoneBoy

TAC case is not an option... Im using this appliance in my house because is a gift from a trainning that i received. I think license is expired.

I hope an engineer can check these logs and give me some more information.... If not, I'm afraid I'll have to replace my beloved Checkpoint with some other solution 😞

Thank you

I will do my best to help you. Let me do some more research and see what we can try.

Andy

Check out below:

https://unix.stackexchange.com/questions/21335/how-do-i-cause-a-watchdog-reset-of-my-embedded-linux-...

By the way, what happens if the box is rebooted with sxl enabled? Same problem?

Andy

What do you intend with providing that link to watchdog reset ? SMBs have no /dev/watchdog 8)

Hi Andy. Yes, appliance restart randomly with securexl enabled

Take backup, reset the appliance and see if it is doing it with default settings as well. 

I will try, but the problem i think is something in the kernel

If you gain enough evidence it is not device but firmware related issue then I think CheckPoint R&D will likely take a look at it even without support contract. But I second current firmware is very stable so it is very likely to be corruption somewhere on the device itself. 

You should clearly see what blades are expired in WebGUI. So currently you are using only the FW part of the SMB? Without IPS, AV, ABOT and URLF it maybe beloved but is crippled to the bone ! You could replace it with a Raspi and linux sw FW, not loosing any functionality. Why not extend the license and buy support for it ? Then you also could use NGTP services (which do not work with expired services) and get help from TAC - an engineer can check these logs and give you a fixed firmware.

But first attempt would be a reinstall from USB, flashing both backup and active firmware - current R77.20.87 version is very stable according to my experience.

Hi.

Yes, the other option is change to pfSense or openwrt. The problem is i will lose 6+1 lan ports hehe.

License is expensive, this is a homelab, not an enterprise.

Meanwhile im looking for alternatives

As i said before - if you are only using the FW blade, this is not worth the $377 (or so) for a years license, but if you protect your complete home (including wife and kids devices), IPS, AV, ABOT and URLF make much sense and are well worth the price. 

But first attempt to resolve it would be a reinstall from USB, flashing both backup and active firmware, as current R77.20.87 version is very stable according to my experience. Maybe a bad block on flash does play you these tricks, and that will be over after flashing it, as formatting reallocated any bad blocks...

All valid points...but, I really think the best way for him to know 100% if its blade related or not is slowly try remove blade by blade and observe the behavior. We all know those 1000 series appliances are not nearly as powerful having multiple blades enabled as some higher models...or, as you suggested before, do factory reset and see what happens.

Andy

True, i would suggest the same - but if the license is expired, he will have only the FW, IA, Advanced Networking and VPN blade left, and the blades disabling procedure is done with service blades 8).

Or, if he is lucky enough, maybe someone from R&D will see this thread and decide to investigate more. Though, in my personal experience, CP is known literally not to put any effort into officially unsupported or non-licensed versions/devices. Thats very unfortunate, because Cisco TAC for example spend few times with me on the phone couple of hours at least helping with non supported versions. But, thats for another thread : )

Non supported versions do not hinder support from CP TAC - only if you have bought no license and support. If you get a Cisco device as a gift, without license or support, i can not imagine Cisco TAC will spend hours on the phone with you 8). There have been firmware version for 7xx/14xx that rebooted autonomously some times every week, but i did not see that for the used version. So i rather would suggest to flash from USB.

But if it is true that no SecureXL makes it stable, you could switch it off using userScript.

I once spent 6 hours on phone with Cisco TAC for device that did NOT have support or license and guy literally did not want to get off the phone till we fixed the issue...I never ever heard example of something like that with CP TAC, but anyway :). Back to the subject...lets see if Kiko is willing to factory reset or try remove certain blades and let us know if the issue is still there.

Andy

I find this comment unfair. No support means just that - no support. 

I second that - that payed nerd spending 6 hours on phone for free assumingly does not work for this company anymore if he repeated that. Afaik, there is no such thing as a free lunch and never was 8). 

Wasnt free lunch CP thing? lol. Anyway, I get your point, but I look at it from totally different angle. Sometimes, making sn exception can actually have great benefits.

Yes - and it was your great benefit, i guess 8) Making many exceptions will shorten your revenue and also give your paying customer a feeling of being treated unfair - why should they pay and others get it for free? I am working as a CCSP and often do exceptions - but only for our existing customers, not for people who get an old box for free and are not able or willing to pay anything.

But i will not discuss that any longer - i am more used to an professional angle as i get my income from giving support...

I agree, lets not argue about it...waste of time anyway : ). Better putting an effort into technical stuff! 

Hello,

I came here to the forum since, without a support license, I imagined that a TAC would be impossible.

Of course the last thing I want is to start a fight. I am just looking to see if a solution is possible, if not, then I will look for alternatives.

Starting by requesting the GPL source codes used 🙂 maybe try to port openwrt? install Linux? i dont know!

From a licensing point of view, FW + VPN don’t generally expire.
You can put an All-in-One eval on the appliance to allow the other blades to work (assuming the problem is there).

I do not believe that a switched-off blade without license will do anything bad, but who really knows!

Im trying to install the last version, but i get the following error:

System Started...
/sys/devices/soc.0/fd840000.pcie-external2/pci0001:00/0001:00:00.0/0001:01:00.0/usb1/1-1/1-1:1.0/host0/target0:0:0/0:0:0:0/block/sda/sda1
The version of the image on the USB/SD is the same as the installed image. Not installing image

Maybe i should perform a rollback and then try to update?

Edit: done, performed a factory reset, and then flash from USB

So how long does it normally take for the issue to occur when securexl is enabled?

Andy