This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
eltonsimoes
Contributor
‎2023-08-27 09:09 PM
Jump to solution

Gaia WebUI connection reset

Hi all,

I need help about situation bellow: i have a cluster with 2 security gateways 6200 and version R81.10 jumbo hotfix take 109. When a trying access Gaia Webui in the port 4434 i see in tcpdump that connection reset. This behavor happens in both gateways, in the same in segment network. I've been around for some SK's like sk118801, sk97648, sk91380 and sk8456, but unsuccessfully. Does anyone have any ideas about this problem?

Thanks!

 

Log:

[Expert@sg-02:0]# tcpdump -nni any port 4434
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
01:04:50.861888 ethertype IPv4, IP 192.168.2.102.55182 > 192.168.2.103.4434: Flags [S], seq 2801337733, win 29200, options [mss 1460,sackOK,TS val 1588764672 ecr 0,nop,wscale 10], length 0
01:04:50.861888 IP 192.168.2.102.55182 > 192.168.2.103.4434: Flags [S], seq 2801337733, win 29200, options [mss 1460,sackOK,TS val 1588764672 ecr 0,nop,wscale 10], length 0
01:04:50.862435 IP 192.168.2.103.4434 > 192.168.2.102.55182: Flags [R.], seq 0, ack 2801337734, win 0, length 0
01:04:50.862438 ethertype IPv4, IP 192.168.2.103.4434 > 192.168.2.102.55182: Flags [R.], seq 0, ack 1, win 0, length 0

 

[Mon Aug 28 00:29:50.567941 2023] [mpm_prefork:notice] [pid 16389] AH00169: caught SIGTERM, shutting down
[Mon Aug 28 00:29:52.641150 2023] [mime_magic:error] [pid 18542] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Mon Aug 28 00:29:52.655702 2023] [so:warn] [pid 18542] AH01574: module setenvif_module is already loaded, skipping
[Mon Aug 28 00:29:52.655719 2023] [so:warn] [pid 18542] AH01574: module headers_module is already loaded, skipping
[Mon Aug 28 00:29:52.658564 2023] [core:warn] [pid 18542] AH00117: Ignoring deprecated use of DefaultType in line 421 of /web/conf/httpd2.conf.
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 192.168.2.103. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 28 00:29:52.658751 2023] [mime_magic:error] [pid 18542] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Mon Aug 28 00:29:52.658796 2023] [ssl:warn] [pid 18542] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 28 00:29:52.660513 2023] [mpm_prefork:notice] [pid 18542] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Mon Aug 28 00:29:52.660552 2023] [core:notice] [pid 18542] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND

 

Labels
0 Kudos
1 Solution

Accepted Solutions
12 Replies
PhoneBoy
Admin
Admin
‎2023-08-28 06:49 AM
Jump to solution

Is it only a particular segment that’s having an issue or from anywhere?
Is the Platform Portal port in the Cluster object to to use port 4434?

0 Kudos
eltonsimoes
Contributor
‎2023-08-28 07:20 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy 

This behavor is from anywhere. Yes, in the Platform Portal it is configured to use port 4434.

0 Kudos
vishnusecurrent
Explorer
‎2023-11-08 09:47 PM
In response to eltonsimoes
Jump to solution

@eltonsimoes  is it resolved. we are facing same issue

 

0 Kudos
LadaNemecek
Participant
‎2024-01-11 02:14 AM
Jump to solution

Did you managed to resolve? Found same problem on 6200 cluster on 81.10JHF110

 

0 Kudos
Gero_Stolle
Contributor
‎2024-01-17 07:32 AM
In response to LadaNemecek
Jump to solution

I have the same issue with a 3600 running with R81.10 JHF41
netstat -a shows no listener on port 4434 which is set correctly. 
the other cluster member runs fine

when restarting the service, this could be seen in httpd2_error_log:
[ssl:warn] [pid 508] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
 but 
--> LoadModule socache_shmcb_module modules/libmod_socache_shmcb.so - is active in httpd2.conf

and
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 172.xxx,xxx.3 Set the 'ServerName' directive globally to suppress this message
and
[mime_magic:error] [pid 508] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic

on the running member the correct lines follow and the service starts:
[ssl:warn] [pid 10019] AH01906: 172.xx.xxx.2:4434:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:warn] [pid 10019] AH01909: 172.xx.xxx.2:4434:0 server certificate does NOT include an ID which matches the server name
we follow sk84561 up to step 12, but no deeper hints found

kernel debug I want to take tommorow

any ideas ? TAC case needed ?

best regards
Gero

 



 

0 Kudos
Gero_Stolle
Contributor
‎2024-01-17 07:38 AM
In response to Gero_Stolle
Jump to solution

when searching inet I would like to check thisout:
when there is a httpd-ssl.conf
adding this line 
SSLSessionCache "shmcb:logs/ssl_scache(512000)"
tomorrow I will have a new session with my customer to try out 🙂 

best regards
Gero 

0 Kudos
Gero_Stolle
Contributor
‎2024-01-17 08:13 AM
In response to Gero_Stolle
Jump to solution

But I found this by investigating the cpinfo 
in /tmp/cpinfo_hcp_log
+------------------------------------------------------------------------------------------------------------------------------------+
| Gaia OS/General/HTTPD SSL CONF FILE |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: ERROR |
| |
| Description: Verify httpd-ssl.conf.templ is correct |
| |
| Summary: File httpd-ssl.conf.templ may be empty or corrupted! |
| |
| Finding: |
| File httpd-ssl.conf.templ may be empty or corrupted! |
| |
| Suggested solutions: |
| - Replace file /web/templates/httpd-ssl.conf.templ with the one in /web/templates/httpd-ssl.conf.templ.bak |
| you may run the following: |
| 1. /usr/bin/cp /web/templates/httpd-ssl.conf.templ.bak /web/templates/httpd-ssl.conf.templ |
| 2. /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active |
| 3. tellpm process:httpd2 |
| 4. tellpm process:httpd2 t |
| |
| |

So I like to follow up this, because all files are generated by templates and should not be manipulated manualy 🙂


so far 

Gero 

this correlates to 
https://support.checkpoint.com/results/sk/sk180829

lets see tomorrow.....

0 Kudos
eltonsimoes
Contributor
‎2024-02-10 09:40 PM
In response to Gero_Stolle
Jump to solution

Hi, @Gero_Stolle 


Was the problem resolved by applying sk180829? Thanks for sharing!

 

Best Regards,

 

Elton Simões

0 Kudos
the_rock
Legend
Legend
‎2024-02-11 04:03 PM
In response to eltonsimoes
Jump to solution

That seems like a resonable process to try.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top