R80.40 Policy install timeout, but new policy is active

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hi,

we recently updated from R80.10 to R80.40, Management Server and a Gateway Cluster of 5800 appliances.

We defined a new rule for HTTPS Inspection with Updatable Objects. Since then Policy Install fails with timeout. Deleting the new rule doesn't "repair" it.

- "fw stat" shows the new policy, and changes in the policy are effective.

- I don't think the install_policy_timeout value is the problem, the Management Server waits for a long time for the commit after "fw stat" already shows the new policy timestamp.

- Management Server $FWDIR/log/install_policy.elg:
...
Compiled OK.&CURRENTVERCMP
**##MSG_IDENTIFY##**3&0&Compilation was successful&50&<NULL>&1&CURRENTVERCMP
Installing Security Gateway policy on: gw-cluster ...&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw1&<NULL>&1&CURRENTVERCMP
Operation incomplete due to timeout.&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&Operation incomplete due to timeout.&<NULL>&<NULL>&1&CURRENTVERCMP

So the problems seems to be on gateway side.

- Gateway /opt/CPsuite-R80.40/fw1/state/__tmp/FW1/install_policy_report.txt
...
17:43:15 4000051 InternalMsg UPInstallPolicyApp INFO up_install_policy_app.cpp 364 postLoadCommit ====== UP install policy App post-load commit end ======
17:43:15 4000052 InternalMsg Install Policy MGR INFO install_policy_mgr.cpp 1133 postLoadCommit Usermode postLoadCommit of InstallPolicyApp: (UP) with appType: (1), appPosition: (2) succeeded

So just the last line with "====== Usermode post-load commit end =====" is missing.

- According sk114733 "du -k $FWDIR/state/__tmp/FW1/" on both Gateways should be the same, but they differs. The file local.upDB.sqlite differs.
Regrettably the sk do not mention what to do if the size of the directory differs.

I cannot find any sk how to "reset" the directory $FWDIR/state/__tmp/FW1/. Can I just delete the files and get fresh copies from the management server with "fw fetch"?

(It's a production environment and I don't want to kill the Gateway with careless deleting files...)

Best regards
Claudia