Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ClaudiaPeter
Participant

R80.40 Policy install timeout, but new policy is active

Jump to solution

Hi,

we recently updated from R80.10 to R80.40, Management Server and a Gateway Cluster of 5800 appliances.

We defined a new rule for HTTPS Inspection with Updatable Objects. Since then Policy Install fails with timeout. Deleting the new rule doesn't "repair" it.

- "fw stat" shows the new policy, and changes in the policy are effective.

- I don't think the install_policy_timeout value is the problem, the Management Server waits for a long time for the commit after "fw stat" already shows the new policy timestamp.

- Management Server $FWDIR/log/install_policy.elg:
...
Compiled OK.&CURRENTVERCMP
**##MSG_IDENTIFY##**3&0&Compilation was successful&50&<NULL>&1&CURRENTVERCMP
Installing Security Gateway policy on: gw-cluster ...&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw1&<NULL>&1&CURRENTVERCMP
Operation incomplete due to timeout.&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&Operation incomplete due to timeout.&<NULL>&<NULL>&1&CURRENTVERCMP

So the problems seems to be on gateway side.


- Gateway /opt/CPsuite-R80.40/fw1/state/__tmp/FW1/install_policy_report.txt
...
17:43:15 4000051 InternalMsg UPInstallPolicyApp INFO up_install_policy_app.cpp 364 postLoadCommit ====== UP install policy App post-load commit end ======
17:43:15 4000052 InternalMsg Install Policy MGR INFO install_policy_mgr.cpp 1133 postLoadCommit Usermode postLoadCommit of InstallPolicyApp: (UP) with appType: (1), appPosition: (2) succeeded

So just the last line with "====== Usermode post-load commit end =====" is missing.


- According sk114733 "du -k $FWDIR/state/__tmp/FW1/" on both Gateways should be the same, but they differs. The file local.upDB.sqlite differs.
Regrettably the sk do not mention what to do if the size of the directory differs.

I cannot find any sk how to "reset" the directory $FWDIR/state/__tmp/FW1/. Can I just delete the files and get fresh copies from the management server with "fw fetch"?

(It's a production environment and I don't want to kill the Gateway with careless deleting files...)

Best regards
Claudia

0 Kudos
1 Solution

Accepted Solutions
ClaudiaPeter
Participant

The solution was "standard": reboot.

It took only some longer discussions with the customer to be allowed to reboot the maschines....

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

You can generally just delete the content of $FWDIR/state safely, though you can take a backup if you want to be on the safe side.

0 Kudos
_Val_
Admin
Admin

I suggest investigating this with TAC. 

Can you show how your "New HTTPS Inspection rule with Updatable Objects" looks, though?

0 Kudos
ClaudiaPeter
Participant

Actual the rule looks like:

Source: Any

Destination: Office365 Worldwide Services, Intune Services, Microsoft - recommended HTTPS bypass, Power B I Services, Webex Services

Services: https

Category/..: Any

Action: Bypass

Track: Log

Blade: All

Install On: one Gateway Cluster

Certificate: Outbound Certificate

0 Kudos
ClaudiaPeter
Participant

The solution was "standard": reboot.

It took only some longer discussions with the customer to be allowed to reboot the maschines....

View solution in original post

0 Kudos