Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Perry_McGrew
Contributor

Getting Error code: 0-2000232 when applying Access Policy to any Gateway

Jump to solution

We are R81 JHF17 on all our CP devices.   Our Mgt is on VM and we have 5800 HA Cluster and 8 CP3200s deployed at remote sites On 3/5, when attempting to install Policy the Access Policy install fails with the Error code: 0-2000232 - which simply states to contact Check Point support.   There is no "hits" in Secure Knowledge on this code.

Tech ran debugs and had me download 2 scripts to run.  One fails as it does not support R81 and apparently has not been updated.

Next we uploaded CPINFO / Migrate_export from MGT and a CPINFO off one of the 3200 GWs.   Apparently has had trouble "importing" them into the lab to see if he can recreate. 

The Policy Verify returns NO errors.   I can also change and deploy Threat Prevention Policy to ALL gateways.   

fw fetch to PASSIVE HA member fails.....  I have asked for Escalation yesterday and still waiting....as I have been asked to make a change to our Access Policy.  

But I thought I'd post out here to see if anyone has had this error or can offer suggestions on how to solve while I wait for TAC.

 

TIA - Perry

1 Solution

Accepted Solutions
Ofer_Barzvi
Employee
Employee

Hello Perry,

The error code 2000232 (documented in sk172484) was fixed in take 23 of R81 JHF, while the failure with error code 2000077 is a different issue that was fixed as well, but will be included in one of coming takes.

View solution in original post

0 Kudos
13 Replies
Vincent_Bacher
Advisor

Did you already press the escalate button? 

and now to something completely different
0 Kudos
Perry_McGrew
Contributor

Oh yes.   Pressed, called and thru "chat".   I reached out to our account team this afternoon as well.  BTW, I wish they'd change the "on hold" music 🙂  

Vincent_Bacher
Advisor

"BTW, I wish they'd change the "on hold" music'

I'm so glad I don't work in customer support any more. I can't stand the music and the slogans any more. 😄

and now to something completely different
Perry_McGrew
Contributor

There is SK154435 and our situation met the 1a scenario in the SK.  The error code displays differently in R81 -- which could be reason it did not show up when I searched on the code displayed in our R81.   Well, I got a pristine copy of the file from TAC and replace the one on the Mgt server.   Unfortunately, it did not fix the issue - same error.

Come to find there is a case open with Development that refers to issue, at least on R81, and they have a temporary workaround.  The script disables the environment setting that disables a conversion optimization setting.   It worked and I can now change and apply Access Policies.  The fix does not survive reboot.  No ETA when root cause will be fixed and made available 

the_rock
Authority
Authority

Just to save you time, dont bother pressing that "escalate" button at all, its useless. All that will do is have them get whoever is free to call you and that perosn may (or most likely will NOT) know anything about the case, so really pointless even doing so : )

0 Kudos
the_rock
Authority
Authority

There is an sk for it, check below (though not sure it applies to you):

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

 

By the way, I have a suggestion. You can message me offline, happy to help, as I know R81 pretty well by now...do fw ctl zdebug + drop | grep 18191 on master firewall or ANY firewall for that matter and see if you get anything when applying policy. Though, logically, if its a provlem on all gateways, then sounds like it could be something on mgmt server.

 

Andy

0 Kudos
Perry_McGrew
Contributor

Thanks for the SK.   It lists as a Fix is to upgrade to R81 -- which I have been running for some time.  The Escalation engineer told me that these Tasks assigned to Developers were specific to R81.  Apparently at least 13 "cases" have been reported and are monitoring them for an official fix. 

the_rock
Authority
Authority

I would really like to do remote and see if I can help you. I have few customers on R81 and I had never seen this issue. If you want, message me privately and we can do webex. Im free till 4 pm est.

Andy

0 Kudos
Eric_Boughton
Participant

Had this issue this morning after we did an update for something else to take R81 17. Turns out they also released an update date today T23 that fixes the issue.  Installed R81 T23 on management and we up and running. 

SK - sk172484

Jumbo - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

PRJ-23912,
PRHF-16377 - Security Management" Accelerated Policy installation may fail with the "Internal error" message if this policy contains changed services"

Perry_McGrew
Contributor

I applied T23 to my R81 JHF17 Mgt server this morning.  Now Access policy hangs / fails with Error code: 0-2-2000077   Task Process just sits and spins at 87% on my HA 5800's before ultimately failing.   Even after applying workaround provided by TAC, it failed with Internal Error.   Going to fall back to JHF17 and run command to disable optimization.  Fingers crossed.....

 

Perry_McGrew
Contributor

Falling back to JHF 17 did NOT clear up the issue even after doing the workaround documented in sk172484.  I re-opened my TAC case and the tech said that this error code was a "gateway" error code.   Something about an bad connection entry ??? Can't recall specifically.   Anyway,  rebooted my HA cluster members and that "fixed" the issue.   I have NOT re-applied JHF 23 to the Management server yet...

0 Kudos
Ofer_Barzvi
Employee
Employee

Hello Perry,

The error code 2000232 (documented in sk172484) was fixed in take 23 of R81 JHF, while the failure with error code 2000077 is a different issue that was fixed as well, but will be included in one of coming takes.

View solution in original post

0 Kudos
Perry_McGrew
Contributor

Thank you for the reply and the email.   I hope Check Point will take the suggestion of having an SK for any error code that we see reported.  In this case, knowing that a reboot of the GWs could temporarily resolve the problem causing the 2000077 error without any risk would have saved a lot of time waiting for Dallas support to free up a resource to look into the issue. 

We have re-applied JHF 23 to our Mgt server and have not seen the 2000077 error since we rebooted the HA cluster GWs.  Since JHF 23 is Mgt server specific, we are not opting to apply it to any of our 5800/3200 GWs which are R81 JHF 17.

0 Kudos