Solved: Re: Unable to access CP3100 R81.20, saying 'SmartC...

saitoh · ‎2024-07-07

Hi all,

I am really new to this product (about for a week), learning how this product works by boss's call.

I used to touch FortiGate from Fortinet, XGS Firewall from Sophos, Cloudgen Firewall from Barracuda, and SRX from Juniper.

I am having a hard time getting used to CP Firewall since I feel like it has a different architecture than any other product I have ever used.

Looking through several websites said to me that SmartConsole is used when accessing to software area.

I successfully did:

>config change

>factory reset

>powercycle the appliance

>clean install the OS

On-site work is on the way, and therefore getting the gist of how to handle the appliance is urgent for me.

Now, the error prevents me from accessing security gateway, on the console of which it says:

'SmartConsle has experienced a serious problem and needs to relaunch.'

This happens under the circumstance as follows:

>Windows11, and 10

>right credentials of admin account

>right IP address with GUI client configured

>smallest network diagram(directly connected, and no other appliances linked)

>no luck by trying to access with different PC

In trying to connect, SmartConsole goes like:

>shows login screen

>'Connecting to the server...', 'Initialising service...', 'Loading data...', then error pops out.

Sadly relaunching SmartConsole makes no difference.

I surmise the root cause of this inhabits the appliance since this error is observed from every PC I tested.

However, clean install GAiA OS does not resolve this issue.

A part of the crashlog of SmartConsole says:

-----------------------------------------------------------------------

(ERROR) AppShell.UnhandledExceptionReporter -

The composition produced multiple composition errors, with 5 root causes. The root causes are provided below. Review the CompositionException.Errors property for more detailed information.

1) Could not finishing composing object of type 'AppShellUI.ServerDetailsViewModel'. The import '

ContractName CP.Infrastructure.DLE.DleClient

RequiredTypeIdentity CP.Infrastructure.DLE.DleClient' was not satisfied.

2) Could not finishing composing object of type 'AppShellUI.ServerDetailsViewModel'. The import '

ContractName System.ComponentModel.Composition.Hosting.CompositionContainer

RequiredTypeIdentity System.ComponentModel.Composition.Hosting.CompositionContainer' was not satisfied.

3) Could not finishing composing object of type 'AppShellUI.ServerDetailsViewModel'. The import '

ContractName Comm.MgmtServer.ICommunicationProxyHelper

RequiredTypeIdentity Comm.MgmtServer.ICommunicationProxyHelper' was not satisfied.

4) Could not finishing composing object of type 'AppShellUI.ServerDetailsViewModel'. The import '

ContractName CP.GuiInfrastructure.VirtualCommandRepository

RequiredTypeIdentity CP.GuiInfrastructure.VirtualCommandRepository' was not satisfied.

5) Could not finishing composing object of type 'AppShellUI.ServerDetailsViewModel'. The import '

ContractName CP.Infrastructure.DLE.HelperClasses.DomainSessionInfoProvider

RequiredTypeIdentity CP.Infrastructure.DLE.HelperClasses.DomainSessionInfoProvider' was not satisfied.

-----------------------------------------------------------------------

I am not familiar with this kinds of things, but it seems to me that most of the error contains composing error.

R81.20, with JHF take 65 is applied to my CP3100

Any help and comment is more than appreciated.

That would be lovely if you let me know if I need to provide more information.

Thanks for reading my post!

Regards,

Shuto Saitoh

---------------------------------------------------

added on 11, 7, 2024

I forgot to mention that login with SmartConsole had worked until I had the error.

I might have done wrong while I tried some command on CLI which might make changes to directory.

(I have the faintest idea that I have typed the commands then. I just tried getting used to CLI tree, typing random commands.)

sliver bullet: casting repero or tossing it into the harbor

the_rock · ‎2024-07-10

API is failing, thats your issue. You can try api restart from expert, if that fails, try rebooting the mgmt server.

Andy

View solution in original post

Tal_Paz-Fridman · ‎2024-07-10

Can you please check if the file mgmt_api_profile_settings.xml exists in $FWDIR/conf/api ?

I suggest looking at https://support.checkpoint.com/results/sk/sk168832:

"API does not start"

View solution in original post

PhoneBoy · ‎2024-07-08

It could be something with a localized version of Windows.
I would try Portable SmartConsole and ensure you have all the required libraries installed: https://support.checkpoint.com/results/sk/sk116158
Note: these need to be 32bit versions (not 64bit ones).

saitoh · ‎2024-07-10

Dear PhoneBoy,

Thanks for your comment. I tried Portable one but sadly got the same error.

sliver bullet: casting repero or tossing it into the harbor

Lesley · ‎2024-07-08

Try to use the webbrowser version to see if you made an installation mistake or it is maybe issue on client:

To use Web SmartConsole:
navigate in a web browser to https://<Management Server IP address>/smartconsole

I assume it is management on the box?

-------
If you like this post please give a thumbs up(kudo)! 🙂

saitoh · ‎2024-07-10

Dear Lesley,

Thanks for your comment. Yes I installed Security Management as well as Security Gateway as you assume.

Actually I did not know that I can access management through browser.

I am not able to access management in the way, but it gives me a different error message.

'Unable to connect to server'

It means you have no L3 level connection to the box I surmise, but I can access to GAiA.

Therefore I believe things under L3 level should not be considered, but have no idea what else I might as well check.

sliver bullet: casting repero or tossing it into the harbor

the_rock · ‎2024-07-08

From ssh, can you send below:

fwm ver

$FWDIR/scripts/./cpm_status.sh

api status

cpwd_admin list

Andy

saitoh · ‎2024-07-10

Dear the_rock,

Thanks for your comment. I surmise those commands are used to check how the appliance is working.

Here is the log. It seems to me that API server is not working.

That would be highly appreciated if you enlighten me on this based on the log below.

---------------------------------------------------------------------------

[2024-07-11 11:31:53.479] Last login: Thu Jul 11 11:10:29 2024
[2024-07-11 11:31:53.969] cpm> fwm ver
[2024-07-11 11:32:05.695] This is Check Point Security Management Server R81.20 - Build 440
[2024-07-11 11:32:05.726] cpm> $FWDIR/scripts/./cpm_status.sh
[2024-07-11 11:34:20.135] CLINFR0329 Invalid command:'$FWDIR/scripts/./cpm_status.sh'.
[2024-07-11 11:34:20.135] cpm> $FWDIR/scripts/./cpm_status.sh
[2024-07-11 11:34:28.076] CLINFR0329 Invalid command:'$FWDIR/scripts/./'.
[2024-07-11 11:34:28.076] cpm> expert
[2024-07-11 11:34:30.966] Enter expert password:
[2024-07-11 11:34:33.167]
[2024-07-11 11:34:33.167]
[2024-07-11 11:34:33.167] Warning! All configurations should be done through clish
[2024-07-11 11:34:33.167] You are in expert mode now.
[2024-07-11 11:34:33.167]
[2024-07-11 11:34:33.394] [Expert@cpm:0]# $FwdiR WDIR.s /scripts/./cpm_status.sh
[2024-07-11 11:34:57.341] Check Point Security Management Server is running and ready
[2024-07-11 11:34:57.341] [Expert@cpm:0]# api status
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] API Settings:
[2024-07-11 11:35:09.308] ---------------------
[2024-07-11 11:35:09.308] Accessibility: Unknown
[2024-07-11 11:35:09.308] Automatic Start: Disabled
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Processes:
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Name State PID More Information
[2024-07-11 11:35:09.308] -------------------------------------------------
[2024-07-11 11:35:09.308] API Stopped 20725
[2024-07-11 11:35:09.308] CPM Started 20725 Check Point Security Management Server is running and ready
[2024-07-11 11:35:09.308] FWM Started 20313
[2024-07-11 11:35:09.308] APACHE Started 7567
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Port Details:
[2024-07-11 11:35:09.308] -------------------
[2024-07-11 11:35:09.308] JETTY Internal Port: 0
[2024-07-11 11:35:09.308] JETTY Documentation Internal Port: 0
[2024-07-11 11:35:09.308] APACHE Gaia Port: 443
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Profile:
[2024-07-11 11:35:09.308] -------------------
[2024-07-11 11:35:09.308] Machine profile: Small Medium env resources profile
[2024-07-11 11:35:09.308] CPM heap size: 1280m
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Apache port retrieved from: httpd-ssl.conf
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] --------------------------------------------
[2024-07-11 11:35:09.308] Overall API Status: The API Server Is Not Running!
[2024-07-11 11:35:09.308] --------------------------------------------
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] API readiness test FAILED. The server is down and unable to receive connections!
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] Notes:
[2024-07-11 11:35:09.308] ------------
[2024-07-11 11:35:09.308] To collect troubleshooting data, please run 'api status -s <comment>'
[2024-07-11 11:35:09.308]
[2024-07-11 11:35:09.308] [Expert@cpm:0]# # $FWDIR/log/api.elg
[2024-07-11 11:37:04.523] bash: /opt/CPsuite-R81.20/fw1/log/api.elg: Permission denied
[2024-07-11 11:37:04.539] [Expert@cpm:0]#
[2024-07-11 11:42:31.193] [Expert@cpm:0]# cpwd_admin list
[2024-07-11 11:42:38.802] APP PID STAT #START START_TIME MON COMMAND
[2024-07-11 11:42:38.802] CPVIEWD 20128 E 1 [17:39:54] 8/7/2024 N cpviewd
[2024-07-11 11:42:38.802] CPVIEWS 20133 E 1 [17:39:54] 8/7/2024 N cpview_services
[2024-07-11 11:42:38.802] SXL_STATD 20136 E 1 [17:39:54] 8/7/2024 N sxl_statd
[2024-07-11 11:42:38.802] CPD 20151 E 1 [17:39:54] 8/7/2024 Y cpd
[2024-07-11 11:42:38.802] MPDAEMON 20164 E 1 [17:39:54] 8/7/2024 N mpdaemon /opt/CPshrd-R81.20/log/mpdaemon.elg /opt/CPshrd-R81.20/conf/mpdaemon.conf
[2024-07-11 11:42:38.802] TP_CONF_SERVICE 15529 E 1 [18:03:44] 8/7/2024 N tp_conf_service --conf=tp_conf.json --log=error
[2024-07-11 11:42:38.802] CI_CLEANUP 20277 E 1 [17:39:59] 8/7/2024 N avi_del_tmp_files
[2024-07-11 11:42:38.802] CIHS 20279 E 1 [17:39:59] 8/7/2024 N ci_http_server -j -f /opt/CPsuite-R81.20/fw1/conf/cihs.conf
[2024-07-11 11:42:38.834] FWD 20309 E 1 [17:39:59] 8/7/2024 N fwd
[2024-07-11 11:42:38.834] FWM 20313 E 1 [17:39:59] 8/7/2024 N fwm
[2024-07-11 11:42:38.834] FWMHA 0 T 0 [10:22:41] 11/7/2024 N fwmha -H
[2024-07-11 11:42:38.834] STPR 20337 E 1 [17:39:59] 8/7/2024 N status_proxy
[2024-07-11 11:42:38.834] SPIKE_DETECTIVE 20361 E 1 [17:39:59] 8/7/2024 N spike_detective
[2024-07-11 11:42:38.834] CPM 20725 E 1 [17:40:02] 8/7/2024 N /opt/CPsuite-R81.20/fw1/scripts/cpm.sh -s
[2024-07-11 11:42:38.834] SOLR 26495 E 1 [17:41:24] 8/7/2024 N java_solr
[2024-07-11 11:42:38.834] RFL 26515 E 1 [17:41:24] 8/7/2024 N LogCore
[2024-07-11 11:42:38.834] SMARTVIEW 26536 E 1 [17:41:24] 8/7/2024 N SmartView
[2024-07-11 11:42:38.834] INDEXER 0 T 0 [09:49:02] 11/7/2024 N /opt/CPrt-R81.20/log_indexer/log_indexer -workingDir /opt/CPrt-R81.20/log_indexer/
[2024-07-11 11:42:38.834] SMARTLOG_SERVER 26699 E 1 [17:41:26] 8/7/2024 N /opt/CPSmartLog-R81.20/smartlog_server
[2024-07-11 11:42:38.834] REPMAN 26839 E 1 [17:41:28] 8/7/2024 N java_repository_manager
[2024-07-11 11:42:38.834] DASERVICE 26846 E 1 [17:41:28] 8/7/2024 N DAService_script
[2024-07-11 11:42:38.834] AUTOUPDATER 26875 E 1 [17:41:29] 8/7/2024 N AutoUpdaterService.sh
[2024-07-11 11:42:38.834] CPSM 5676 E 1 [17:54:49] 8/7/2024 N cpstat_monitor
[2024-07-11 11:42:38.834] [Expert@cpm:0]#
[2024-07-11 11:43:02.519] [Expert@cpm:0]# exit
[2024-07-11 11:43:05.044] exit
[2024-07-11 11:43:05.048] cpm>

sliver bullet: casting repero or tossing it into the harbor

the_rock · ‎2024-07-10

API is failing, thats your issue. You can try api restart from expert, if that fails, try rebooting the mgmt server.

Andy

saitoh · ‎2024-07-10

Dear Andy,

Thank you for your response. I have got the following error when I hit #api restart:

WARNING: File mgmt_api_profile_settings.xml not found.

Rebooting turned out to be no luck. Apparently my CP3100 is missing something...

I have no clue how to resolve this, but I am now reinstalling JHF take 65 and will see the result.

I will post it here for the purpose of sharing.

sliver bullet: casting repero or tossing it into the harbor

Tal_Paz-Fridman · ‎2024-07-10

Can you please check if the file mgmt_api_profile_settings.xml exists in $FWDIR/conf/api ?

I suggest looking at https://support.checkpoint.com/results/sk/sk168832:

"API does not start"

saitoh · ‎2024-07-10

Dear Tal_Paz-Fridman,

Thank you for your answer. I took a look at it and there is no such a file as mgmt_api_profile_settings.xml.

Instead, it has test.txt, which I might have created a week ago while testing some linux commands on the appliance.

Well, it is starting to look like I am stupid enough to overwrite the existing file with some dump text file...

I will have a look through the document you suggested. Much appreciated!

sliver bullet: casting repero or tossing it into the harbor

saitoh · ‎2024-07-11

Dear Tal_Paz-Fridman,

I have again had two of CP3100 factory reseted, and clean installed.

One of them has mgmt_api_profile_settings.xml created automatically, after SMS started completely.

However in terms of the other this is not the case sadly.

Both of them the check_cpm_status.sh script says CPM server started.

Is there any possible explanation provided on some documents or something?

I will try copying that xml file from one to the other and see how it works anyway.

sliver bullet: casting repero or tossing it into the harbor

Tal_Paz-Fridman · ‎2024-07-11

Please follow the instructions in the SK I posted. It seems to address this exact scenario.

If it does not help contact Check Point TAC.

the_rock · ‎2024-07-11

I agree 100% @Tal_Paz-Fridman

Hey, @saitoh , I got this file from working lab mgmt, so if you message me directly, I can send it, as it does not let me attach it here. Once you have it, you can follow the sk Tal gave.

Andy

saitoh · ‎2024-07-11

Dear Andy , and Tal,

Since rebooting would not do CP good, I followed the instruction of the document Tal gave me.

It did the trick! Now the appliance is capable of receiving SmartConsole access as expected.

So much appreciated to both Tal and Andy!

I will choose Tal's answer which provides a URL of the document as this website would not let me choose several answers as solution.

I also show my appreciation to Andy for explaining why it was not working, and preparing the xml file for me.

The contribution of Andy as well as Tal helped me a lot, and will do others too in the future I believe!

sliver bullet: casting repero or tossing it into the harbor

the_rock · ‎2024-07-11

Glad you got it working, thats the most important thing. We are here to help one another.

Best,

Andy

the_rock · ‎2024-07-11

I think its "toast", sorry. Because reboot would take care of api restart...does the same show even after you rebooted it?

Andy

Are you a member of CheckMates?

Unable to access CP3100 R81.20, saying 'SmartConsole has experienced a serious problem'.