Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hsu_Teddy
Participant

Add New VSX Gateway on R80.30 fail

Hi,

I tried to add a new VSX gateway on my Lab with R80.30 SM.

I follow the steps like below.

1. Click add VSX gateway on SmartConsole.

2. Input appliance name and IP address.

3. Select custom network.

4. Initialize the SIC.

5. Select the vlan trunk interface.

6. Not create virtual network device.

7. Define the policy.

8. Click the "Finish" and install policy but I got a failed message.I can't finish add the device. 

Installing default Policy - NC-Proc-VSX-01_VSX on NC-Proc-VSX-01...
Layer 'NC-Proc-VSX-01_VSX Network': There is only one interface defined for object NC-Porc-SM-01. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.
Policy verification failed.
Failed to install default policy NC-Proc-VSX-01_VSX on NC-Proc-VSX-01

Installing VSX default policy operation has finished with errors.
This could have happen due to time-out while installing security policy.
Check the modules to see if security policy is installed. if so discard
this error message.
If policy is not installed make sure that the failed Virtual System/Router
is accessible from the management server, and that you have a valid license.
Try to install security policy manually from the SmartDashboard.
If the problem persists contact Check Point Technical Support.

Operation has failed.

The VSX gateway is new install and no any policy on it.

How to fix this issue?

BR

 

 

0 Kudos
13 Replies
Maarten_Sjouw
Champion
Champion

Add a second interface with a bogus IP address.
Regards, Maarten
0 Kudos
Hsu_Teddy
Participant

Hi,
I add two new interface ,that is eth1 is 172.16.100.254/24 and eth7 169.254.1.1/24.Reset the SIC and add it again.
It still show same error message below.
There is only one interface defined for object NC-Porc-SM-01. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.
Policy verification failed.

BR
0 Kudos
Maarten_Sjouw
Champion
Champion

Do you have the latest version of SmartConsole installed and the latest jumbo on your management?
I had some issues with wrong licenses on a system that was resolved by the latest version of the SmartConsole.
Regards, Maarten
0 Kudos
Hsu_Teddy
Participant

I upgrade the SmartConsole from 993000036 to 993000042. And install the hotfix from sk153152.
I got the same error messages.
0 Kudos
Maarten_Sjouw
Champion
Champion

Then there is only 1 thing left you can do: Open a TAC case.
Regards, Maarten
0 Kudos
mdjmcnally
Advisor

I see that added more interfaces.   Was this done AFTER attempting the VSX connection and if so how did you do this as the Interface config commands are disabled.  If turning vsx off and configuring are you also manually adding the Physical Interfaces so that present in the VSX Gateway Object in the SmartConsole.  Would also suggest that delete the Gateway Object that has been created    You say adding a Gateway do you run through the wizard or just use the classic.

Normally when adding a regular gateway then just do the Gateway.

However for VSX then always follow the wizard.

During the Wizard then don't set anything regarding the interfaces in terms of VLAN so literally just end up with the base VSX Gateway added with Custom Template, Nothing set regarding the Physical Interfaces

 

As such would suggest

 

Step 1:  On gateway run the command 'reset_gw' need to be in vs0 which is all that will be there.

Step 2: On the gateway configure the interfaces up if not already configured

Step 3: Delete the VSX Gateway in the SmartConsole

Step 4: Re add the VSX Gateway and make sure picks up the additional interfaces

 

0 Kudos
Hsu_Teddy
Participant

Thank for your suggest.
This appliance is a new install and only setting basic address and routing setting.
Because Checkpoint's VSX Gateway/Cluster is not a normal gateway. It is a virtual firewall platform, need to initial SIC and create new VS for service by wizard first.

This issue is not happen on R75.40VS and R77.30,
0 Kudos
Hsu_Teddy
Participant

This appliance is a old and out of support device. I can't open a support TAC case. I am trying to reuse it in my LAB.
0 Kudos
Maarten_Sjouw
Champion
Champion

If you are trying to run a pre migration test for your in maintenance management for instance they will help you.
The problem with the later versions is that in the Wizard they added a step which is the policy install, you cannot even try it without the wizard as you do not even get that option anymore.
Regards, Maarten
0 Kudos
Daniel_Taney
Advisor

Just so I am following the issue correctly... Are you saying that SIC definitely gets established correctly to the new GW and you're past that point of the configuration of the GW?

Because I had an issue like this where I was unable to create a new Virtual Switch on a VSX Cluster and it turned out that because my SMS was 2 Firewall hops away from the VSX Management IP, TCP/18210 was getting dropped on one of the Firewalls and the SIC handshake wasn't fully completing, even though the Wizard would move past that point.

R80 CCSA / CCSE
0 Kudos
PatrikSkoglund
Contributor

"Layer 'NC-Proc-VSX-01_VSX Network': There is only one interface defined for object NC-Porc-SM-01. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature."

 

Try removing the anti-spoofing from the interface that is created with the gateway. Might have to override the configuration and set it as an internal faceing interface, If its sets to external by default. 

0 Kudos
Maarten_Sjouw
Champion
Champion

All very nice but I just started with a clean 4200 gateway and started the creation of a VSX-Gateway, named it, choose custom config, SIC it, do not set any trunks and continue as is. Policy added some source .

VSX.JPG

Next is a successfully installed VSX-gateway:

VSX2.JPG

So it looks like you did something to cause the issue.

Regards, Maarten
0 Kudos
Hsu_Teddy
Participant

After Many try, I found some thing different.
I use a standalone image as my SM at first, I got the add VSX gateway fail with interface anti-spoofing error message.
I try a new clean install SM VM. I can add VSX gateway successfully and create VS.
Maybe them have some different setting in the default setting file.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events