This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2018-05-23 09:55 PM

Lost access to gaia portal

Hi guys, running R77.30, not long ago we lost the ability to web to our gateway and manager, it used to work (self signed cert) but now the browser throws an error such as:  "Can’t connect securely to this page" with no option to continue anyway.

Have tried 3 different browsers, and enabled all tls versions and even sslv3 but nothing helps. 

Wireshark capture shows a client hello requesting, tlsv1.2 then tls v1.0, sslv3.0 then it stops. 

Anyone got any solution for this? I would be happy just running plain http but it seems not an option.

config:

set web table-refresh-rate 15
set web session-timeout 10
set web ssl-port 443
set web ssl3-enabled on
set web daemon-enable on

thanks!

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-05-24 01:41 PM

What does a tcpdump say when you try to access the Gaia portal?

I'm guessing you pushed a policy that blocked access to the Gaia portal.

There must be an explicit rule allowing the communication as it is not covered thru implied rules.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-05-24 03:23 PM

Have you tried running the web sslport on 4434 or any other port instead, I don't know if you added some additional blade like Mobile access or just VPN Client access?

In the dashboard go into the object of the gateway and change the gateway portal from the HTTPS://<IP>  to HTTPS://<IP:4434 and push policy as this will always overwrite the local setting and will reset the web ssl-port setting you change on the command line.

It is always recommendable to change the port for the GAIA portal.

Regards, Maarten
Ryan_Ryan
Advisor
‎2018-05-24 04:31 PM

Hi thanks both for your replies.

I can telnet to the gateway on port 443 and its open, so access does not seem to be the issue, the issue seems more the gateway is not talking ssl/tls properly. I tried running on a different port and updating the gateway portal URL, but I get the same results, telnet works but web browsing fails. 

chrome shows: ERR_CONNECTION_CLOSED

IE:  Can’t connect securely to this page. This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I regenerated the ssl cert on the gateway aswell then restarted the daemon but still the same issue!
tcpdump just shows a normal tcp handshake
0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-24 08:45 PM
In response to Ryan_Ryan

Curious if there's anything in /var/log/httpd2_error_log that might explain it.

You might also try the couple of Linux CLI commands and the Wireshark troubleshooting process listed here: Troubleshoot SSL/TLS handshake in Google Chrome browser - Stack Overflow 

0 Kudos
Ryan_Ryan
Advisor
‎2018-05-24 09:36 PM
In response to PhoneBoy

Yes there are some logs in there, nothing relative to each attempt, these logs date to the time I restarted the http2 service:

[notice] SIGHUP received. Attempting to restart
[warn] module setenvif_module is already loaded, skipping
[warn] module headers_module is already loaded, skipping
[error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[notice] CPWS configured -- resuming normal operations

curl is a good idea, although nothing too helpful came of it:

* schannel: failed to receive handshake, need more data

curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-25 07:40 AM
In response to Ryan_Ryan

I recommend opening a case with the TAC so this can be properly investigated.

0 Kudos
Anas_Ahmad
Employee Alumnus
Employee Alumnus
‎2019-04-09 06:35 AM
In response to PhoneBoy

Hello,

Did you get the solution  for this because the same thing I am experiencing on R80.10 as well with latest take. New Deployment.

Tried to connect the laptop directly with MGMT port of firewall with is same network but no luck. How ever I am able to ping the firewall.

 

Checked the wireshark captures found client is sending hello but firewall is sending FIN.

0 Kudos
piotto777
Participant
‎2019-08-16 04:07 AM
In response to Anas_Ahmad

Have you got a solution from TAC please?

We have same error message in /var/log/httpd2_error_log after R.77.30 node joined cluster.

tcpdump shows 3-WAY handshake OK and then nothing happened.

different browsers show blank screen, none of tcl scripts are not starting. 

we have restarted httpd daemon - same issue.

/var/log/httpd2_error_log:

[Thu Aug 15 01:13:53 2019] [notice] caught SIGTERM, shutting down
[Thu Aug 15 01:14:40 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:41 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:41 2019] [warn] module setenvif_module is already loaded, skipping
[Thu Aug 15 01:14:41 2019] [warn] module headers_module is already loaded, skipping
httpd2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1 for ServerName
[Thu Aug 15 01:14:41 2019] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /web/conf/magic
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 15 01:14:42 2019] [warn] RSA server certificate CommonName (CN) `192.168.1.1' does NOT match server name!?
[Thu Aug 15 01:14:42 2019] [notice] CPWS configured -- resuming normal operations

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-16 01:14 PM
In response to piotto777

It looks like whatever certificate configured for the Gaia portal is a CA certificate.
You should probably replace it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Or: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events