Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KikoLlanos
Contributor

1430 random crash with SecureXL enabled

Jump to solution

Hello, good evening.

I have been detecting random appliance crashes for some time. If I disable securexl acceleration (fwaccel off command) the appliance is completely stable, but with securexl, it randomly crashes.

<1>[ 3771.640614] Unable to handle kernel NULL pointer dereference at virtual address 00000004

<1>[ 3771.648687] pgd = 80003000

<4>[ 94.038442] ######## wdt sysfs stop cmd

<1>[ 3771.651387] [00000004] *pgd=80000000004003, *pmd=00000000

<0>[ 3771.655305] Internal error: Oops: 207 [#1] SMP ARM

I have version R77.20.87 (990173083)

I hope you can help me.... I would be sad to have to change this appliance on my homelab 😞 Attached the last panic. Thank you and best regards

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Do those come up right before it crashes?
If so, you might try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
This can be used to SecureXL for the specific port in question (versus disabling entirely).

View solution in original post

0 Kudos
42 Replies
the_rock
Authority
Authority

I wish I could give you a good suggestion, but reading some forums online about similar errors, seems like it could be something with one of the drivers on the appliance itself. Did issue ever happen before version 87?

Andy

0 Kudos
KikoLlanos
Contributor

Hi Andy.

This is happening since i have this appliance, months ago. I dont remember the starting version

Best regards

0 Kudos
PhoneBoy
Admin
Admin

If disabling SecureXL solves an issue, a TAC case is definitely in order.

0 Kudos
KikoLlanos
Contributor

Hi PhoneBoy

TAC case is not an option... Im using this appliance in my house because is a gift from a trainning that i received. I think license is expired.

I hope an engineer can check these logs and give me some more information.... If not, I'm afraid I'll have to replace my beloved Checkpoint with some other solution 😞

 

Thank you

0 Kudos
the_rock
Authority
Authority

I will do my best to help you. Let me do some more research and see what we can try.

Andy

0 Kudos
the_rock
Authority
Authority

Check out below:

 

https://unix.stackexchange.com/questions/21335/how-do-i-cause-a-watchdog-reset-of-my-embedded-linux-...

 

By the way, what happens if the box is rebooted with sxl enabled? Same problem?

 

Andy

0 Kudos
G_W_Albrecht
Legend
Legend

What do you intend with providing that link to watchdog reset ? SMBs have no /dev/watchdog 😎

0 Kudos
KikoLlanos
Contributor

Hi Andy. Yes, appliance restart randomly with securexl enabled

0 Kudos

Take backup, reset the appliance and see if it is doing it with default settings as well. 

0 Kudos
KikoLlanos
Contributor

I will try, but the problem i think is something in the kernel

0 Kudos

If you gain enough evidence it is not device but firmware related issue then I think CheckPoint R&D will likely take a look at it even without support contract. But I second current firmware is very stable so it is very likely to be corruption somewhere on the device itself. 

0 Kudos
G_W_Albrecht
Legend
Legend

You should clearly see what blades are expired in WebGUI. So currently you are using only the FW part of the SMB? Without IPS, AV, ABOT and URLF it maybe beloved but is crippled to the bone ! You could replace it with a Raspi and linux sw FW, not loosing any functionality. Why not extend the license and buy support for it ? Then you also could use NGTP services (which do not work with expired services) and get help from TAC - an engineer can check these logs and give you a fixed firmware.

But first attempt would be a reinstall from USB, flashing both backup and active firmware - current R77.20.87 version is very stable according to my experience.

0 Kudos
KikoLlanos
Contributor

Hi.

Yes, the other option is change to pfSense or openwrt. The problem is i will lose 6+1 lan ports hehe.

License is expensive, this is a homelab, not an enterprise.

Meanwhile im looking for alternatives

0 Kudos
G_W_Albrecht
Legend
Legend

As i said before - if you are only using the FW blade, this is not worth the $377 (or so) for a years license, but if you protect your complete home (including wife and kids devices), IPS, AV, ABOT and URLF make much sense and are well worth the price. 

But first attempt to resolve it would be a reinstall from USB, flashing both backup and active firmware, as current R77.20.87 version is very stable according to my experience. Maybe a bad block on flash does play you these tricks, and that will be over after flashing it, as formatting reallocated any bad blocks...

0 Kudos
the_rock
Authority
Authority

All valid points...but, I really think the best way for him to know 100% if its blade related or not is slowly try remove blade by blade and observe the behavior. We all know those 1000 series appliances are not nearly as powerful having multiple blades enabled as some higher models...or, as you suggested before, do factory reset and see what happens.

Andy

0 Kudos
G_W_Albrecht
Legend
Legend

True, i would suggest the same - but if the license is expired, he will have only the FW, IA, Advanced Networking and VPN blade left, and the blades disabling procedure is done with service blades 😎.

0 Kudos
the_rock
Authority
Authority

Or, if he is lucky enough, maybe someone from R&D will see this thread and decide to investigate more. Though, in my personal experience, CP is known literally not to put any effort into officially unsupported or non-licensed versions/devices. Thats very unfortunate, because Cisco TAC for example spend few times with me on the phone couple of hours at least helping with non supported versions. But, thats for another thread : )

0 Kudos
G_W_Albrecht
Legend
Legend

Non supported versions do not hinder support from CP TAC - only if you have bought no license and support. If you get a Cisco device as a gift, without license or support, i can not imagine Cisco TAC will spend hours on the phone with you 😎. There have been firmware version for 7xx/14xx that rebooted autonomously some times every week, but i did not see that for the used version. So i rather would suggest to flash from USB.

But if it is true that no SecureXL makes it stable, you could switch it off using userScript.

0 Kudos
the_rock
Authority
Authority

I once spent 6 hours on phone with Cisco TAC for device that did NOT have support or license and guy literally did not want to get off the phone till we fixed the issue...I never ever heard example of something like that with CP TAC, but anyway :). Back to the subject...lets see if Kiko is willing to factory reset or try remove certain blades and let us know if the issue is still there.

Andy

_Val_
Admin
Admin

I find this comment unfair. No support means just that - no support

0 Kudos
G_W_Albrecht
Legend
Legend

I second that - that payed nerd spending 6 hours on phone for free assumingly does not work for this company anymore if he repeated that. Afaik, there is no such thing as a free lunch and never was 😎

0 Kudos
the_rock
Authority
Authority

Wasnt free lunch CP thing? lol. Anyway, I get your point, but I look at it from totally different angle. Sometimes, making sn exception can actually have great benefits.

0 Kudos
G_W_Albrecht
Legend
Legend

Yes - and it was your great benefit, i guess 😎 Making many exceptions will shorten your revenue and also give your paying customer a feeling of being treated unfair - why should they pay and others get it for free? I am working as a CCSP and often do exceptions - but only for our existing customers, not for people who get an old box for free and are not able or willing to pay anything.

But i will not discuss that any longer - i am more used to an professional angle as i get my income from giving support...

0 Kudos
the_rock
Authority
Authority

I agree, lets not argue about it...waste of time anyway : ). Better putting an effort into technical stuff! 

KikoLlanos
Contributor

Hello,

I came here to the forum since, without a support license, I imagined that a TAC would be impossible.

Of course the last thing I want is to start a fight. I am just looking to see if a solution is possible, if not, then I will look for alternatives.

Starting by requesting the GPL source codes used 🙂 maybe try to port openwrt? install Linux? i dont know!

PhoneBoy
Admin
Admin

From a licensing point of view, FW + VPN don’t generally expire.
You can put an All-in-One eval on the appliance to allow the other blades to work (assuming the problem is there).

0 Kudos
G_W_Albrecht
Legend
Legend

I do not believe that a switched-off blade without license will do anything bad, but who really knows!

0 Kudos
KikoLlanos
Contributor

Im trying to install the last version, but i get the following error:


System Started...
/sys/devices/soc.0/fd840000.pcie-external2/pci0001:00/0001:00:00.0/0001:01:00.0/usb1/1-1/1-1:1.0/host0/target0:0:0/0:0:0:0/block/sda/sda1
The version of the image on the USB/SD is the same as the installed image. Not installing image

Maybe i should perform a rollback and then try to update?

Edit: done, performed a factory reset, and then flash from USB

0 Kudos
the_rock
Authority
Authority

So how long does it normally take for the issue to occur when securexl is enabled?

 

Andy

0 Kudos