Re: Lost access to gaia portal

Ryan_Ryan · ‎2018-05-23

Hi guys, running R77.30, not long ago we lost the ability to web to our gateway and manager, it used to work (self signed cert) but now the browser throws an error such as: "Can’t connect securely to this page" with no option to continue anyway.

Have tried 3 different browsers, and enabled all tls versions and even sslv3 but nothing helps.

Wireshark capture shows a client hello requesting, tlsv1.2 then tls v1.0, sslv3.0 then it stops.

Anyone got any solution for this? I would be happy just running plain http but it seems not an option.

config:

set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web ssl3-enabled on
set web daemon-enable on

thanks!

PhoneBoy · ‎2018-05-24

What does a tcpdump say when you try to access the Gaia portal?

I'm guessing you pushed a policy that blocked access to the Gaia portal.

There must be an explicit rule allowing the communication as it is not covered thru implied rules.

Maarten_Sjouw · ‎2018-05-24

Have you tried running the web sslport on 4434 or any other port instead, I don't know if you added some additional blade like Mobile access or just VPN Client access?

In the dashboard go into the object of the gateway and change the gateway portal from the HTTPS://<IP> to HTTPS://<IP:4434 and push policy as this will always overwrite the local setting and will reset the web ssl-port setting you change on the command line.

It is always recommendable to change the port for the GAIA portal.

Regards, Maarten

Ryan_Ryan · ‎2018-05-24

Hi thanks both for your replies.

I can telnet to the gateway on port 443 and its open, so access does not seem to be the issue, the issue seems more the gateway is not talking ssl/tls properly. I tried running on a different port and updating the gateway portal URL, but I get the same results, telnet works but web browsing fails.

chrome shows: ERR_CONNECTION_CLOSED

IE: Can’t connect securely to this page. This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I regenerated the ssl cert on the gateway aswell then restarted the daemon but still the same issue!

tcpdump just shows a normal tcp handshake

PhoneBoy · ‎2018-05-24

Curious if there's anything in /var/log/httpd2_error_log that might explain it.

You might also try the couple of Linux CLI commands and the Wireshark troubleshooting process listed here: Troubleshoot SSL/TLS handshake in Google Chrome browser - Stack Overflow

Ryan_Ryan · ‎2018-05-24

Yes there are some logs in there, nothing relative to each attempt, these logs date to the time I restarted the http2 service:

[notice] SIGHUP received. Attempting to restart
[warn] module setenvif_module is already loaded, skipping
[warn] module headers_module is already loaded, skipping
[error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[notice] CPWS configured -- resuming normal operations

curl is a good idea, although nothing too helpful came of it:

* schannel: failed to receive handshake, need more data

curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

PhoneBoy · ‎2018-05-25

I recommend opening a case with the TAC so this can be properly investigated.

Anas_Ahmad · ‎2019-04-09

Hello,

Did you get the solution for this because the same thing I am experiencing on R80.10 as well with latest take. New Deployment.

Tried to connect the laptop directly with MGMT port of firewall with is same network but no luck. How ever I am able to ping the firewall.

Checked the wireshark captures found client is sending hello but firewall is sending FIN.

piotto777 · ‎2019-08-16

Have you got a solution from TAC please?

We have same error message in /var/log/httpd2_error_log after R.77.30 node joined cluster.

tcpdump shows 3-WAY handshake OK and then nothing happened.

different browsers show blank screen, none of tcl scripts are not starting.

we have restarted httpd daemon - same issue.

/var/log/httpd2_error_log:

[Thu Aug 15 01:13:53 2019] [notice] caught SIGTERM, shutting down
[Thu Aug 15 01:14:40 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:41 2019] [warn] module setenvif_module is already loaded, skipping
[Thu Aug 15 01:14:41 2019] [warn] module headers_module is already loaded, skipping
httpd2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1 for ServerName
[Thu Aug 15 01:14:41 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:42 2019] [notice] CPWS configured -- resuming normal operations

PhoneBoy · ‎2019-08-16

It looks like whatever certificate configured for the Gaia portal is a CA certificate.
You should probably replace it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Or: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Are you a member of CheckMates?

Lost access to gaia portal