Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stich86
Participant

Client upgrade failed from Gateway

Hi all,

i'm trying to setup the upgrade client from the Gateway. I've followed instructions on this topic: https://community.checkpoint.com/t5/Remote-Access-VPN/Client-upgrade-has-failed-with-Automatic-Upgra...

 

but the problem is when the client is trying to connect, it receives a 403 from the gateway, this is an extract from client logs:

 

[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::RunSend: sending the following data for file download: GET /CSHELL/TRAC.cab HTTP/1.1^M
User-Agent: TRAC/986101507^M
Host: 1.1.1.1^M (masked IP)
Connection: keep-alive^M
Cookie: CPCVPN_SESSION_ID=^M
^M[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: 2188: rc=1, next: 587b70 with 5, req: 65536r, 0w
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpSSL_fwasync_pending: No input data is pending.
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: 2188: got 0 of 65536 bytes == 65536 bytes required
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: 2880 bytes read from socket.
[ 4116 4484][9 Oct 14:50:43][wssl] WinSSL_Decrypt: DecryptMessage returned 80090318 (SEC_E_INCOMPLETE_MESSAGE)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_Decrypt_buffer: Decrypt status = 80090318. in=2880, out=0, extra_len=-1)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_Decrypt_buffer: incomplete ssl record. retry next data. in=2880, out=0, extra_len=-1)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: cpWinSSL_Decrypt_buffer returned: 80090318
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: nothing to return to application.
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: SSL should retry
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: 2188: got 0 of 65536 bytes == 65536 bytes required
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: 2582 bytes read from socket.
[ 4116 4484][9 Oct 14:50:43][wssl] WinSSL_Decrypt: DecryptMessage returned 00000000 (SEC_E_OK)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_Decrypt_buffer: Decrypt status = 00000000. in=5462, out=4344, extra_len=1089)
[ 4116 4484][9 Oct 14:50:43][wssl] WinSSL_Decrypt: DecryptMessage returned 00000000 (SEC_E_OK)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_Decrypt_buffer: Decrypt status = 00000000. in=1089, out=1060, extra_len=0)
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: cpWinSSL_Decrypt_buffer returned: 00000000
[ 4116 4484][9 Oct 14:50:43][cpwssl] cpWinSSL_fwasync_read: delivering 5404 chars to application
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: 2188: managed to read 5404 of 65536 bytes
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_do_mux_in: 2188: call: 587b70 with 5
[ 4116 4484][9 Oct 14:50:43][talkssl] talkssl::client_handler: state: SSL_RECV - entering
[ 4116 4484][9 Oct 14:50:43][talkssl] talkssl::client_handler: got 5404 bytes, wanted 65536 bytes
[ 4116 4484][9 Oct 14:50:43][fwasync] fwasync_conn_reset_read: 2188
[ 4116 4484][9 Oct 14:50:43][talkssl] talkssl::client_handler: calling recv with dlen 5404
[ 4116 4484][9 Oct 14:50:43][talkhttps] ATalkHttps::ssl_packet_receive_cb: called
[ 4116 4484][9 Oct 14:50:43][talkhttps] ATalkHttps::ssl_packet_receive_cb: HTTP server supports '1.1' version
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::ReceiveEv: HTTP server supports '1.1' version
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::ReceiveEv: Response status code - 403
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::GetIdFromMsg: Invalid fwset. Cannot extract id.
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::ReceiveEv: got http error response. Remove front download request
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::RemoveRequest: Called with cccError 308
[ 4116 4484][9 Oct 14:50:43][TalkCCC] talkccc::RemoveRequest: Calling the notify callback for the request 4
[ 4116 4484][9 Oct 14:50:43][UPGRADE_MANAGER] UpgradeManager::Notify: Error, got 308 errorcode

 

If i'm trying to call manually that URI (https://myvpnc.domain.com/CSHELL/TRAC.cab) I got same 403 error.

 

How can I solve it?

 

Thanks in advance

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin

Looks similar to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Please engage with the TAC to get the relevant hotfix.

0 Kudos
Reply
stich86
Participant

yes.. but just copy TRAC.cab\trac_ver.txt into SNX base didn't solve the issue.

So I made fix by my self, here is what i've done and may be can be helpful to someone else in the future:

Edit this file: vi $CVPNDIR/conf/includes/SNX.location.conf

Adding between "<Location /SNX/CSHELL>" and "Alias /CSHELL/" this part:

<Location /CSHELL>
CvpnAccessType none
CvpnCSRFenforceReferer Post
</Location>

 

Then restart HTTPD using these commands: cvpnstop ; cvpnstart

After that I was able to successful upgrade the client 🙂

0 Kudos
Reply