Solved: Re: Unable to access Gaia Portal

Saranya_0305 · ‎2025-05-26

Dear Team,

I have multiple Firewall cluster setups managed centrally by a Management Server which was located in Delhi.

Management Server OS :R81.20
Firewalls OS :R81.10

Currently I am situated in Mumbai where one firewall setup is configured and other firewall setup is located in Bangalore.

Currently:

Bangalore FW1: Standby
Bangalore FW1: Active

The firewalls is connected to Management server by SD-WAN.

From my PC I am able to access the Smartconsole, Gaia portal and CLI access of Management Server.

From the same PC,
- At initial I am able to access the CLI of Bangalore FW via Management Server, later I add my PC in the rule base of Bangalore Policy package to access directly.
- Now I am able to ping and access the CLI of Bangalore FW directly.

But when I try to access the Gaia Portal of Bangalore FW I am unable to access.

I added the rule above the Stealth rule.

Rule: Src:172.17.8.35(My PC) Dst:10.0.6.131(FW) Service: ssh_version2,ping, TCP_4434

Also, I added my PC to the allowed-client host list of Bangalore FW.

The web-ssl port is 4434 configured for Bangalore location.

But when I check the Platform Portal option in Smart console it is https://172.18.0.27:4434.

When I checked the logs, I able to see the accept logs for 10.0.6.131.

But for the IP:172.18.0.27 I able to see drop logs.

Can you please guide why I am unable to access the Gaia Portal of Bangalore FW?

For reference , I attached the screenshots below.

Regards,

Saranya

Saranya_0305 · ‎2025-05-28

Dear Team,

Actually, recently we have upgraded the Management server from R81.10 to R81.20, but firewalls are running in R81.10.

After upgrading when we try to access Gaia portal of the Firewall we are facing this issue. But for other firewalls we are able to access.

In issue firewall, the below steps we performed till now.

Scenario1:
- set ssl-web port 4434
-save config
-Change port in SmartConsole and install the policy.

Scenario2

- set web daemon-enable off
- save config
- set web daemon-enable on
- save config

Scenario3

- restart the CP services and follow Scenario1&2.

Scenario4

- Directly change port in Smartconsole and install the policy.

Unfortunately no one will work. But when we change to 443 port it is working and able to access Gaia.

Currently, the port is 4434 and have checked some data in httpd2_error.log file

AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 10.0.6.131. Set the 'ServerName' directive globally to suppress this message
[Wed May 28 12:17:06.234235 2025] [mime_magic:error] [pid 27000] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed May 28 12:17:06.234281 2025] [ssl:warn] [pid 27000] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed May 28 12:17:06.235593 2025] [mpm_prefork:notice] [pid 27000] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1w configured -- resuming normal operations
[Wed May 28 12:17:06.235617 2025] [core:notice] [pid 27000] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'

Based on that I have found one SK180829

When I compare both working Firewall and issue firewall I didn't found any data under /web/conf/extra/httpd-ssl.conf file.

For reference I have attached the screenshot.

Can I you please suggest is the issue related to this file can I perform this SK?

Regards,

Saranya

View solution in original post

the_rock · ‎2025-05-26

Check to make sure its not policy blocking it. Run fw stat via ssh.

Andy

Best,
Andy

Saranya_0305 · ‎2025-05-26

Hi,

Yeah, Firewall custom policy was installed in the firewall.

Regards,

Saranya

the_rock · ‎2025-05-26

Can you send the output of that command?

Best,
Andy

Saranya_0305 · ‎2025-05-26

Hi,

Please find the attached screenshot.

Regards,

Saranya

Chris_Atkinson · ‎2025-05-26

To start the dst in your drop log doesn't align to the rule you configured is there a reason for that?

CCSM R77/R80/ELITE

Saranya_0305 · ‎2025-05-27

Hi,

I have found some observations:

The dst IP in drop log is the Platform portal IP: 172.18.0.27:4434, which is not the Virtual IP of Cluster member also.

Currently, now I changed the Platform portal IP: 10.0.6.129:4434, which is the Virtual IP of cluster member of Management Interface.

After that I installed the policy, but still not able to access.

But when I change to Platform portal IP: 10.0.6.129:443, I am able to access.

I want to access via 4434 port. can you please help me why I can't able to access via 4434.

I even added the service TCP_4434 in rule.

Redards,

Saranya

the_rock · ‎2025-05-27

Run fw up_execute command to see if rule allows it.

Andy

Best,
Andy

Saranya_0305 · ‎2025-05-27

Hi,

No rules has blocked the connection.

Based on the browser page I have found some sk118801.

Based on the sk, the scenario 5, I have not sure was it CSR certificate was proper or not.

Regards,

Saranya

Saranya_0305 · ‎2025-05-27

Hi,

Currently, I restarted the services, after that 4434 is not reflecting. But in Smart console Platform portal IP is configured with 4434.

Regards,

Saranya

Chris_Atkinson · ‎2025-05-27

To confirm did you change the port prior in the GAiA config or rather can you check that it is correct?

show | set web ssl-port

CCSM R77/R80/ELITE

Saranya_0305 · ‎2025-05-27

No I didn't change prior. But later I tried with that one but no use.

the_rock · ‎2025-05-27

Maybe try from clish:

set web-daemon enable off

save config

set web-daemon enable on

save config

Best,
Andy

Saranya_0305 · ‎2025-05-27

Hi,

We tried that one but no use.

Regards,

Saranya

Saranya_0305 · ‎2025-05-28

Dear Team,

Actually, recently we have upgraded the Management server from R81.10 to R81.20, but firewalls are running in R81.10.

After upgrading when we try to access Gaia portal of the Firewall we are facing this issue. But for other firewalls we are able to access.

In issue firewall, the below steps we performed till now.

Scenario1:
- set ssl-web port 4434
-save config
-Change port in SmartConsole and install the policy.

Scenario2

- set web daemon-enable off
- save config
- set web daemon-enable on
- save config

Scenario3

- restart the CP services and follow Scenario1&2.

Scenario4

- Directly change port in Smartconsole and install the policy.

Unfortunately no one will work. But when we change to 443 port it is working and able to access Gaia.

Currently, the port is 4434 and have checked some data in httpd2_error.log file

AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 10.0.6.131. Set the 'ServerName' directive globally to suppress this message
[Wed May 28 12:17:06.234235 2025] [mime_magic:error] [pid 27000] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Wed May 28 12:17:06.234281 2025] [ssl:warn] [pid 27000] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed May 28 12:17:06.235593 2025] [mpm_prefork:notice] [pid 27000] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1w configured -- resuming normal operations
[Wed May 28 12:17:06.235617 2025] [core:notice] [pid 27000] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'

Based on that I have found one SK180829

When I compare both working Firewall and issue firewall I didn't found any data under /web/conf/extra/httpd-ssl.conf file.

For reference I have attached the screenshot.

Can I you please suggest is the issue related to this file can I perform this SK?

Regards,

Saranya

the_rock · ‎2025-05-28

I bet if you took clean httpd2.conf file from /web/conf/extra dir and copy it over, it might work. Just save the original one.

Andy

Best,
Andy

Saranya_0305 · ‎2025-05-28

Hi,

Will it impact the traffic if we stop and start the httpd daemon process?

Regards,

Saranya

the_rock · ‎2025-05-28

Nope.

Best,
Andy

Saranya_0305 · ‎2025-05-28

Hi,

Thank you for the support. It is working now.

Regards,

Saranya

the_rock · ‎2025-05-28

Happy to hear!

Best,
Andy

Saranya_0305 · ‎2025-05-30

Dear Team,

I am facing same issue with other firewall which is in another location Noida.

Issue Description:

Cluster Setup:

- Active Firewall able to access the Gaia portal.

- Standby device Gaia Portal is not able to access.

I performed the below steps.

- set ssl-web port 4434
- save config
- set web daemon-enable off
- save config
- set web daemon-enable on
- save config
- Restared the CP services

- Verified "fw up_execute" command

I performed the SK180829 and verified the parameters sk118801.

But unfortunately not able to access.

In firewall I am not able to see the latest log entries in httpd2_error_log,httpd2_access_log files.

Can you please guide me how to proceed further.

Regards,

Saranya

the_rock · ‎2025-05-30

You can try same steps as for the other fw.

Best,
Andy

Saranya_0305 · ‎2025-05-30

Hi,

I followed every steps in this firewall where I followed the same steps in Previous issue facing firewall.

But in this current firewall, still not able to access the portal.

Regards,

Saranya

the_rock · ‎2025-05-30

Probably best to do remote with TAC.

Best,
Andy

Chris_Atkinson · ‎2025-05-30

How are you accessing the web interface, from the LAN or via VPN. Which version & JHF?

Does this machine have a dedicated MGMT interface etc

CCSM R77/R80/ELITE

Saranya_0305 · ‎2025-06-01

Hi,

I am accessing via LAN, version R81.10 , JHF Take 130.

We are using internal network as Management Interface.

Regards,

Saranya

the_rock · ‎2025-06-02

How are portal settings configured in smart console object?

Andy

Best,
Andy

Saranya_0305 · ‎2025-06-06

Hi,

Sorry for delay in response and Thank you for your support,

The issue is resolved.

Regards,

Saranya

the_rock · ‎2025-06-06

Glad we can help, Saranya.

Andy

Best,
Andy

genisis__ · ‎2025-06-07

I've had that happen to me before, and the above solved it.

Are you a member of CheckMates?

Unable to access Gaia Portal