This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
veronikush29
Explorer
‎2021-04-07 04:49 AM

Security Gateway fails to connect Gaia Portal

Hi everyone, 

I have a pair of 5800 gateways running R80.10 - since the moment I started working on them I noticed I cannot access the Gaia Portal to complete their configuration via Smart Wizard.

 I Have tried 3 different browsers (Chrome, FireFox, Explorer) but nothing works.

 

I tried to restart the httpd2 process, but unfortunately that didn't help as well. 

Here is the httpd2 error log output.

 

the Gateway ip addr is 1.1.1.1/24 

**here is the output of the httpd2 error logs:

[Wed Apr 07 11:17:46.148003 2021] [ssl:info] [pid 17114] [client 4.4.4.4:57663] AH01964: Connection to child 1 established (server 1.1.1.1:443)
[Wed Apr 07 11:17:46.148102 2021] [ssl:debug] [pid 17114] ssl_engine_kernel.c(1949): [client 4.4.4.4:57663] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Wed Apr 07 11:17:46.148269 2021] [ssl:info] [pid 17116] [client 4.4.4.4:57664] AH01964: Connection to child 3 established (server 1.1.1.1:443)
[Wed Apr 07 11:17:46.148341 2021] [ssl:debug] [pid 17116] ssl_engine_kernel.c(1949): [client 4.4.4.4:57664] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Wed Apr 07 11:17:48.164178 2021] [reqtimeout:info] [pid 17114] [client 4.4.4.4:57663] AH01382: Request header read timeout
[Wed Apr 07 11:17:48.164192 2021] [ssl:debug] [pid 17114] ssl_engine_io.c(1212): (70007)The timeout specified has expired: [client 4.4.4.4:57663] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Apr 07 11:17:48.164197 2021] [ssl:info] [pid 17114] [client 4.4.4.4:57663] AH01998: Connection closed to child 1 with abortive shutdown (server 1.1.1.1:443)
[Wed Apr 07 11:17:48.165199 2021] [reqtimeout:info] [pid 17116] [client 4.4.4.4:57664] AH01382: Request header read timeout
[Wed Apr 07 11:17:48.165217 2021] [ssl:debug] [pid 17116] ssl_engine_io.c(1212): (70007)The timeout specified has expired: [client 4.4.4.4:57664] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Apr 07 11:17:48.165222 2021] [ssl:info] [pid 17116] [client 4.4.4.4:57664] AH01998: Connection closed to child 3 with abortive shutdown (server 1.1.1.1:443)
[Wed Apr 07 11:29:58.955943 2021] [core:info] [pid 17109] AH00096: removed PID file /var/run/httpd2.pid (pid=17109)
[Wed Apr 07 11:29:58.955956 2021] [mpm_prefork:notice] [pid 17109] AH00169: caught SIGTERM, shutting down
[Wed Apr 07 11:30:02.488435 2021] [mime_magic:error] [pid 32593] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed Apr 07 11:30:03.001587 2021] [ssl:warn] [pid 32593] AH01906: 1.1.1.1:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 07 11:30:03.001600 2021] [ssl:warn] [pid 32593] AH01909: 1.1.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 07 11:30:03.009620 2021] [so:warn] [pid 32593] AH01574: module setenvif_module is already loaded, skipping
[Wed Apr 07 11:30:03.009629 2021] [so:warn] [pid 32593] AH01574: module headers_module is already loaded, skipping
[Wed Apr 07 11:30:03.011242 2021] [core:warn] [pid 32593] AH00117: Ignoring deprecated use of DefaultType in line 420 of /web/conf/httpd2.conf.
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 1.1.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 07 11:30:03.011398 2021] [mime_magic:error] [pid 32593] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed Apr 07 11:30:04.000646 2021] [ssl:warn] [pid 32593] AH01906: 1.1.1.1:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 07 11:30:04.000657 2021] [ssl:warn] [pid 32593] AH01909: 1.1.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 07 11:30:04.002698 2021] [mpm_prefork:notice] [pid 32593] AH00163: CPWS/2.4.16 (Unix) OpenSSL/1.0.1p configured -- resuming normal operations
[Wed Apr 07 11:30:04.002714 2021] [core:notice] [pid 32593] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'

**the output of tcpdump -ni Mgmt port 443 -

[Expert@FwVero:0]# tcpdump -ni Mgmt port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes
12:09:18.365857 IP 4.4.4.4.58667 > 1.1.1.1.https: S 292501612:292501612(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:18.368609 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1321397747 win 16625
12:09:18.369687 IP 4.4.4.4.58667 > 1.1.1.1.https: P 0:137(137) ack 1 win 16625
12:09:18.373318 IP 4.4.4.4.58667 > 1.1.1.1.https: P 137:495(358) ack 1242 win 16314
12:09:18.583904 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1333 win 16625
12:09:18.584642 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1333 win 16625 <nop,nop,sack 1 {1242:1333}>
12:09:20.421895 IP 4.4.4.4.58667 > 1.1.1.1.https: . ack 1403 win 16607
12:09:23.611619 IP 4.4.4.4.58667 > 1.1.1.1.https: R 495:495(0) ack 1403 win 0
12:09:27.617689 IP 4.4.4.4.58671 > 1.1.1.1.https: S 3703035644:3703035644(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:27.620461 IP 4.4.4.4.58671 > 1.1.1.1.https: . ack 1152516678 win 16625
12:09:27.620625 IP 4.4.4.4.58671 > 1.1.1.1.https: P 0:169(169) ack 1 win 16625
12:09:27.623757 IP 4.4.4.4.58671 > 1.1.1.1.https: P 169:260(91) ack 171 win 16582
12:09:27.626365 IP 4.4.4.4.58671 > 1.1.1.1.https: F 260:260(0) ack 171 win 16582
12:09:27.626609 IP 4.4.4.4.58672 > 1.1.1.1.https: S 1569341768:1569341768(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:09:27.629144 IP 4.4.4.4.58671 > 1.1.1.1.https: R 261:261(0) ack 240 win 0
12:09:27.629193 IP 4.4.4.4.58671 > 1.1.1.1.https: R 3703035906:3703035906(0) win 0
12:09:27.629356 IP 4.4.4.4.58672 > 1.1.1.1.https: . ack 3879169805 win 16625
12:09:27.629469 IP 4.4.4.4.58672 > 1.1.1.1.https: P 0:169(169) ack 1 win 16625
12:09:27.632546 IP 4.4.4.4.58672 > 1.1.1.1.https: P 169:260(91) ack 171 win 16582
12:09:27.635287 IP 4.4.4.4.58672 > 1.1.1.1.https: P 260:729(469) ack 171 win 16582
12:09:27.657449 IP 4.4.4.4.58672 > 1.1.1.1.https: . ack 171 win 16582
12:11:08.263681 IP 2.2.2.2.56342 > 1.1.1.1.https: S 2238622963:2238622963(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:08.267368 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1094179899 win 1024
12:11:08.267725 IP 2.2.2.2.56342 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:08.277309 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:10.288314 IP 2.2.2.2.56342 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:17.338249 IP 2.2.2.2.56343 > 1.1.1.1.https: S 742014096:742014096(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:17.341970 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 676845258 win 1024
12:11:17.342370 IP 2.2.2.2.56343 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:17.351341 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:19.363603 IP 2.2.2.2.56343 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:28.713434 IP 2.2.2.2.56346 > 1.1.1.1.https: S 3725733948:3725733948(0) win 65535 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:11:28.716443 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 2315813135 win 1024
12:11:28.719327 IP 2.2.2.2.56346 > 1.1.1.1.https: P 0:180(180) ack 1 win 1024
12:11:28.728326 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>
12:11:30.740611 IP 2.2.2.2.56346 > 1.1.1.1.https: . ack 1 win 1024 <nop,nop,sack 1 {1461:1567}>

36 packets captured
72 packets received by filter
0 packets dropped by kernel

I would appreciate any help. 

Thank you!

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2021-04-07 09:59 AM

Easy trick to fix this...windows + R -> iexplore -> once you open old explorer, go to tools -> internet options -> check all ssl tls options at the bottom -> hit ok -> try again. Im 99% sure it will work.

0 Kudos
veronikush29
Explorer
‎2021-04-10 11:23 PM
In response to the_rock

81D89FC0-7506-435C-8127-6D0E6EBAE1D4.jpeg

Hi! Thank you for your reply, unfortunately it didn’t help 😕 
All the SSL TLS options are enabled, but the page is stuck in this 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-11 10:10 PM
In response to veronikush29

Did you click the "continue to this website (not recommended)" link?
And is this R80.10 with no JHF installed?
Maybe the issue is: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Of course, R80.10 is almost End of Support.
You should be using a later release.

0 Kudos
Shira
Participant
‎2022-08-05 12:46 AM

Hi,

 

What was the solution?

 

WR,

Shira

0 Kudos
veronikush29
Explorer
‎2022-08-05 05:46 AM
In response to Shira

Hi 🙂 it was a long time ago - but if I remember correctly it was an MTU problem somewhere in my network that caused this. After we changed the MTU to match everywhere it worked.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top