Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
German_Cruz
Participant
Jump to solution

problem with daip in 1100 when doing fetch policy

there is some problem to do fetch policy in 1100 with daip
mgmt R80.10 take 91

1100 R77.20.75

ISP Telmex ADSL
Router Mode standar
dynamically assigned IP address
------------------------------------WAN--------------LAN---------------------WAN(dhcp)-------LAN
INTERNET----------daip-------------Router ISP----------192.168.1.64--------------1180--------

SIC Connected

Security Management Server Status Connected

but DO NOT receive policies or install policies

Shell

"Management rejected fetch for this module - version matching problem.
Security Policy Fetch Failed.
Unable to fetch the Security Policy from the Management Server"

thanks!

1 Solution

Accepted Solutions
Markus_Laubende
Participant

i had the same problem....

which hotfixe you have installed on your managementserver?

i fix this as follow...

i uninstalled the hotfixe on our managementserver Gaia R80.10 take 85.

after that it works...

don´t forget to make first a snapshot

View solution in original post

21 Replies
ovidiu_catrina
Contributor

looks like a general bug since i have the same issue on DAIP 1100 and DAIP 1430s, it started recently.

there is an SK but i dont have access to it : Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ... 

maybe https://community.checkpoint.com/people/g.alba066e051-da82-3e7a-84e6-2bcbff226984‌ or https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌ can help on this.

Regards 

G_W_Albrecht
Legend Legend
Legend

The sk115874 is not available for us. As the issue started only recently, it can either be the effect of a firmware upgrade (e.g. R77.20.52 --> R77.20.75) or of changes to the central management.

Most common reason for this issue was that the SMS is NATed behind the Main GW - see e.g. sk66381 and sk90361. Another issue was with low disk space when using self-configured IPS profiles. But i would look into sk90361 and sk105217 first!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
ovidiu_catrina
Contributor

thanks for the quick reply

i do believe it started with take79

Stabilization improvement of fwm, fw_loader and dbedit Security Management processes. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You mean R80.10 Jumbo T 79 ? I do not really believe that as i only experienced such an issue after firmware upgrade. I suggest consulting the sks.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
ovidiu_catrina
Contributor

none of them apply.

this firewalls haven't been updated, just the management.

it happens for older firewalls with DAIP and new install firewall with DAIP, they all get the same error.

[Expert@name]# fw fetch ***.***.***.***
Fetching Security Policy from ***.***.***.***

Management rejected fetch for this module - version matching problem.
Security Policy Fetch Failed.
Unable to fetch the Security Policy from the Management Server

on the masters file the IP is also set but still nothing.

tried to replace the fw_loader and still the same issue.

0 Kudos
German_Cruz
Participant

 for older 1100 with DAIP  try to set the external size of the MTU to 1300 and get the policy. To do this, go to the WEBUI and edit the Internet connection.
It seems that this change is working.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Why not involve TAC here ? Seems to me to be the only helpfull thing to do now...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Markus_Laubende
Participant

i had the same problem....

which hotfixe you have installed on your managementserver?

i fix this as follow...

i uninstalled the hotfixe on our managementserver Gaia R80.10 take 85.

after that it works...

don´t forget to make first a snapshot

German_Cruz
Participant

thanks!! Works

I have take 91 and I have uninstalled it. Then restart the sic.
and it worked.
I think something in the take xx should be the problem

0 Kudos
Marco_Pisano
Explorer
Hello guys,  I have solved by changing the version on the gateway object from R77.20 to R75.20, installed the policies via SmartConsole. Changed the version from R75.20 to R77.20 again and installed the policies via SmartConsole. At this point the fetch was successful.


ovidiu_catrina
Contributor

hi all

managed to solved this problem.

looks like in one of the patches they modified the binary file fw_loader.

checkpoint provided another binary and since then i had no further problems.

Regards 

0 Kudos
Us4r
Contributor

Hello, we had the same problem after upgrading from take 56 to take 103. We solved the problem with installing the ongoing take 112 on the management node.

Lars_S_
Contributor

Hi,

we have similar problems here.

Last week we upgraded our management server from 77.x to 80.10 Take 154

Since then we have problems with installing policies on our 1120er Check Points (one cluster R77.20.80 and the other R77.20.75).

Before the upgrade we had absolutely no problems!

We have some branch locations with different internet access.

Business connect with VPN connection

MPLS with at least 10 mbit synchronous internet

MPLS locations has 1120er cluster.

When I am installing a policy the CPU load is on both about 100%.

Normal on that devices and that was also before.

But now the policy won't install.

I get: Gateway: CHP1120
Policy: Policy Name
Status: Failed
    - Installation failed. Reason: IP = "IP address" is not available right now
--------------------------------------------------------------------------------
Checkpoint has heavy load and the website isn't working well.

But the checkpoint is available all the time (ICMP test)

When I am rebooting the machine the policy will be fetched during the reboot.

When I am fetching the policy on the website the checkpoint is rebooting.

Really annoying.

This isn't working:

Policy installation on Centrally Managed 1100 appliance fails with "Installation failed. Reason: IP ... 

Has anyone an advice?

Thanks

0 Kudos
G_W_Albrecht
Legend Legend
Legend

A shot in the dark - IPS profile ? Optimizing an IPS profile for SMB

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Lars_S_
Contributor

Thanks for the quick response but the profile is already set like you suggested.

I would like to try to disable IPS completely but I cannot install the policy... so I cannot deactivate IPS

0 Kudos
Lars_S_
Contributor

Well... it works.

Activated IPS again on every 1120 and it works.

Thank you very much for your optimizing IPS profile post!

G_W_Albrecht
Legend Legend
Legend

It is not so much, mostly "leave out what you will never need" first, then go for other criteria to weed them protections out  !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Lars_S_
Contributor

Okay an update ...

Disabled IPS on the cluster and the installation succeeded..

Will try that with the other checkpoints tomorrow...

Maybe the small checkpoints are too slow for IPS now?

Edit: Ok, was curious about that and disabled IPS on the second cluster and voila it's working without any problems now ...

So IPS is a way to heavy for the little ones. Good to know.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

IPS is not too heavy, but flash-based units do not have so much disk space... So the policy install with a large IPS profile can be too much. It is considered best practice to create a separate IPS profile for Small Office gateways, that does not include IPS protections for traffic that does not pass through those gateways. Deactivating the server protections in this separate profile is a good example for this.

So even if you already have created a SMB IPS profile, you can exclude more protections until policy install works again.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Lars_S_
Contributor

Alright, I will exclude everything what isn't necessary for the locations.

I have a profile just for the SMB and server profile is already disabled.

But I will have look and try again.

Anyway, we are planing to upgrade to a little bit bigger one.

EOL of 1120 is 2022 but it seems check point won't release any more firmware updates for 1120.

Release 77.20.81 isn't supported for 1120...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes, R77.20.80 is the last official GA firmware. So up to End of Engineering Support in June 2020 there will be firmware fixes available if needed from TAC.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events