Solved: Re: Sep 13 13:06:56 2022 CORP-FW1 kernel: [fw4_0];...

ESpataro · ‎2022-09-15

We are getting the following error in the /var/log/messages file on our corporate cluster@

Sep 13 13:06:56 2022 CORP-FW1 kernel: [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed

Has anyone seen this before , cpinfo below

]# cpinfo -y all

This is Check Point CPinfo Build 914000227 for GAIA

[MGMT]

HOTFIX_R81_JUMBO_HF_MAIN Take: 69

[IDA]

No hotfixes..

[CPFC]

HOTFIX_TEX_ENGINE_R81_AUTOUPDATE

[FW1]

HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

HOTFIX_R81_JUMBO_HF_MAIN Take: 69

HOTFIX_TEX_ENGINE_R81_AUTOUPDATE

HOTFIX_GOT_TPCONF_AUTOUPDATE

HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE

FW1 build number:

This is Check Point's software version R81 - Build 029

kernel: R81 - Build 029

[SecurePlatform]

HOTFIX_R81_JUMBO_HF_MAIN Take: 69

[CPinfo]

No hotfixes..

[PPACK]

HOTFIX_R81_JUMBO_HF_MAIN Take: 69

[AutoUpdater]

No hotfixes..

[DIAG]

No hotfixes..

[CVPN]

HOTFIX_R81_JUMBO_HF_MAIN Take: 69

[CPDepInst]

No hotfixes..

[CPUpdates]

BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 18

BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 17

BUNDLE_R81_JUMBO_HF_MAIN Take: 69

BUNDLE_TEX_ENGINE_R81_AUTOUPDATE Take: 14

BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 107

BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 47

BUNDLE_HCP_AUTOUPDATE Take: 57

BUNDLE_GENERAL_AUTOUPDATE Take: 12

BUNDLE_CPSDC_AUTOUPDATE Take: 21

BUNDLE_INFRA_AUTOUPDATE Take: 55

BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 24

[cpsdc_wrapper]

HOTFIX_CPSDC_AUTOUPDATE

[hcp_wrapper]

HOTFIX_HCP_AUTOUPDATE

[core_uploader]

HOTFIX_CHARON_HF

[Expert@CORP-FW1:0]#

I saw this SK (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) that references R81.10, but the same error message.

IPS is enabled:

[Expert@CORP-FW1:0]# enabled_blades

fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot mon

[Expert@CORP-FW1:0]#

Mika · ‎2024-04-25

This issue seems to be fixed with Jumbo HFA Take 141 (PRJ-50804, PRHF-28437)

View solution in original post

TJ_Aus

Appears to be addressed in R81.20 JHFA 70

PRJ-50805,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator (checkpoint.com)

View solution in original post

Tal_Paz-Fridman · ‎2022-09-15

I think that as the SK suggests, you should contact TAC with the problem and the SK number so that they can see if the hotfix is relevant in this case.

Thomas_Eichelbu · ‎2023-05-24

Hello,

Yes sure i see this all over!
on all R81.10 FW´s

May 24 11:33:53 2023 XXXXXXX kernel: [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 24 11:33:54 2023 XXXXXXX kernel: [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed

[Expert@XXXXXX# fwmode -s
Firewall is Kernel mode
[Expert@XXXXXXX# enabled_blades
fw vpn urlf av appi ips SSL_INSPECT anti_bot content_awareness mon

but not on USFW FW ... here i dont see this logs.
[Expert@YYYYYYYYY:0:ACTIVE]# fwmode -s
Firewall is User mode
[Expert@YYYYYYYYY:0:ACTIVE]# enabled_blades
fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot mon

the question is, does it have any negative impact???
and it only affects Kernel Mode FWs?

best regards

the_rock · ‎2023-05-24

Have not seen those in R81.10 and R81.20, but have noticed it in R80.40 user mode. I dont recall it having any negative impact.

Andy

Mika · ‎2024-04-25

This issue seems to be fixed with Jumbo HFA Take 141 (PRJ-50804, PRHF-28437)

the_rock · ‎2024-04-25

Good job!

TJ_Aus · ‎2024-05-12

Fault exists in R81.20

May 13 11:52:16 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:52:32 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:52:32 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:24 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:24 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:28 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:28 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:47 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:47 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:58 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:53:58 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:24 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:24 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:48 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:48 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:56 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed
May 13 11:54:56 2024 hostname kernel:[fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed

Daniel_Kavan

I like to keep my IPS blade enabled as well. I am in kernel mode as well. It seems like this issue returned in R81.20. I've had a TAC issue open twice over the last year and have been told a fix will be coming in a R81.20 JHF release. JHF65 didn't fix it, but there are a lot of fixes in JHF70. It may be cosmetic, but makes it hard to weed thru & find a real issue. Also, looks like a Kernel alert which is a high priority.

[Thu Jul 11 13:20:17 2024] [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is _data_conn failed
[Thu Jul 11 13:20:17 2024] [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is _data_conn failed
[Thu Jul 11 13:20:21 2024] [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is _data_conn failed
[Thu Jul 11 13:20:21 2024] [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is _data_conn failed

Time: 2024-07-11T17:34:37Z
Id: ac160028-bcaf-fa17-6690-17a
Sequencenum: 164
Default Device Message:<1>Jul 11 13:34:37 kernel: [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_conn failed

Facility: kernel messages
Syslog Severity: Alert
Syslog Date: Jul 11 13:34:37
Syslog Src: 2
Type: Log
Blade: kernel
Origin:
Product Family: Network
Marker: @A@@B@1720715921@C@2102602
Log Server Origin:
Origin Log Server IP:
Index Time: 2024-07-11T17:34:37Z
Lastupdatetime: 1720719277000
Lastupdateseqnum: 164
Severity: Informational
Confidence Level: N/A
Stored: true

TJ_Aus

Appears to be addressed in R81.20 JHFA 70

PRJ-50805,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator (checkpoint.com)

Are you a member of CheckMates?

Sep 13 13:06:56 2022 CORP-FW1 kernel: [fw4_0];fwx_get_original_conn_key_ex: fwconn_chain_is_data_con