Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stephen_Henihan
Explorer

Migrate Standalone to Distributed - Failed to Open File configuration2

My goal is to convert a standalone R77.30 4400 appliance into a gateway for a Distributed license Security Manager Hyper-V VM that'll do management, reporting, logs, etc. We only have the one 4400 in place at the moment so downtime is an issue.

As I understand it, I should migrate the standalone configuration to distributed first (using the same version of Checkpoint software), convert the 4400 to a gateway (wipe and reinstall it), upgrade the management server to R80 and finally upgrade/redeploy the gateway as R80. 

As a first step, I am trying to migrate the 4400 database to a temporary/interim VM running R77.30 Security Management (with a trial license, different hostname and different IP to the original 4400). The idea was to then upgrade the R77.30 VM to R80.2 and finally migrate the database to a clean R80.2 VM.

I used the upgrade_export command initially but then switched to R77.30.03 Migration Tools (when the help on upgrade_export reported I should). I export from the 4400 and then VI to remove references to Firewall/gateway role and then repack the export.

Whenever I try to import the package, the failure seems to indicate that "configuration2" file cannot be found.

The repackaged export file contains all the directories and files of the original but I have noticed (in WinSCP) that only the main_db directory and configuration file are exported to $FWDIR/tmp/migrate during the 'migrate import' phase. Then the migrate seems to quit, reporting a failure to locate 'configuration2'.

(This was the same error reported by the log for upgrade_import).

Looking at the log, I manually ran the gzip and gtar commands it used and all files exported fine. I believe that there is plenty of free space on all volumes. (I was going to try and get migrate to use a different path to extra the temporary files but I can't find how to do that.)

If the log just isn't telling me what's really happening, could you point me in the direction of how to find out what's really wrong with the process?

If I am approaching this the wrong way, could you please advise me what steps I should be taking (the hardest part I find is locating the appropriate versions of tools/OS/patches)?

Here is the end of the log file.

[18 Oct 12:27:57] [ReadFwsetFile] Going to read file '/opt/CPsuite-R77/fw1/tmp/migrate/configuration2'
[18 Oct 12:27:57] [ReadFwsetFile] ERR: Failed to open file: No such file or directory
[18 Oct 12:27:57] ..<-- ReadFwsetFile
[18 Oct 12:27:57] [MigrateConfig::ReadConfigFile] ERR: Failed to create config file
[18 Oct 12:27:57] .<-- MigrateConfig::ReadConfigFile
[18 Oct 12:27:57] [MigrateConfigInitializer::exec] ERR: Failed to read config file
[18 Oct 12:27:57] .--> NotifyUser
[18 Oct 12:27:57] ..--> IsRunningInteractively
[18 Oct 12:27:57] ...--> GetConfig
[18 Oct 12:27:57] ...<-- GetConfig
[18 Oct 12:27:57] [IsRunningInteractively] Running interactively
[18 Oct 12:27:57] ..<-- IsRunningInteractively
[18 Oct 12:27:57] [NotifyUser] Running interractively, presenting a message to the user
[18 Oct 12:27:57] [NotifyUser] A message to the user is:
------------------------------------------------------------------
Cannot get needed information from imported archive.
Archive doesn't contain exported Check Point database or
database export was performed with wrong migration tools.
Do database export with migration tools for version installed
on destination machine.
------------------------------------------------------------------
[18 Oct 12:27:57] .<-- NotifyUser
[18 Oct 12:27:57] <-- MigrateConfigInitializer::exec
[18 Oct 12:27:57] [ActivitiesManager::exec] ERR: Activity 'MigrateConfigInitializer' failed
[18 Oct 12:27:57] [ProgressUpdater::UpdateProgressToGaia] Progress Updated to '13.0435
[18 Oct 12:27:57] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[18 Oct 12:27:57] [ActivitiesManager::exec] WRN: Activities 'MigrateConfigInitializer' have failed
[18 Oct 12:27:57] [ActivitiesManager::exec] Designated exit code is 1
[18 Oct 12:27:57] --> CleanupManager::Instance
[18 Oct 12:27:57] <-- CleanupManager::Instance
[18 Oct 12:27:57] --> CleanupManager::DoCleanup
[18 Oct 12:27:57] [CleanupManager::DoCleanup] Starting to perform cleanup
[18 Oct 12:27:57] .--> DirCleaner::exec
[18 Oct 12:27:57] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R77/fw1/tmp/migrate/'
[18 Oct 12:28:00] [DirCleaner::exec] WRN: Failed to remove the directory
[18 Oct 12:28:00] .<-- DirCleaner::exec
[18 Oct 12:28:00] [CleanupManager::DoCleanup] Completed the cleanup
[18 Oct 12:28:00] <-- CleanupManager::DoCleanup

[Expert@checktemp:0]# df -kh /opt/CPsuite-R77/fw1/tmp
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_log
117G 4.5G 106G 5% /var/log
[Expert@checktemp:0]# df -kh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
31G 11G 19G 36% /
/dev/sda1 289M 24M 251M 9% /boot
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/mapper/vg_splat-lv_log
117G 4.5G 106G 5% /var/log

Thanks.

Stephen

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

Please study the following documents:

sk61681 How to migrate from Standalone configuration to Distributed

sk85900 Importing the configuration between a Standalone machine and a Management only machine

sk98831 "Execution finished with errors" message on migrate import / export command failure

CCSE CCTE CCSM SMB Specialist
0 Kudos
Stephen_Henihan
Explorer

These were the some of the articles that I used to begin the migration. There are so many disparate but possibly related articles that I came across alternating solutions that confused the issue (they probably referred to different versions).

SK61681 - The main issue here was that it seems to require modifying the existing (sole) gateway device and so requires for the appliance to be significantly altered and effectively offline (...is this correct?) during the migration. Another issue was the term 'exact same version' as I wasn't sure if this meant exact same patches and hotfixes too. I was unable to locate one hotfix and the Jumbo file name differs somewhat even though the version (292) seems the same. Regarding the same hostname (between original and new host) I found documentation on renaming the existing hostname but at the end of the process the system name didn't change so for me so I rebuilt the VM with the same name as the appliance. When I tried to connect with SmartDashboard to the newly built VM, SmartDashboard would not connect despite being added as a GUI client and user credentials correct - I think this was due to a security key exchange issue but I wondered if this might have been because I used the same name for the host. Then I read another article that implied if the same hostname was not used, the import process would require a reboot during which the hostname would be amended.

SK98831 - These are the changes that I was able to make to the configuration and configuration2.

SK98831 - The error I am getting does not occur in this file. Should I attempt to resolve using some other workaround within this page or are the fixes referenced here only specific to the particular error?

While I am not 100% sure that I am approaching this correctly, do I try to fix the import error or do I start again from scratch?

If so, am I going to have to stick religiously to the initial article you referenced and take the existing appliance offline for the duration of the migration?

0 Kudos
Stephen_Henihan
Explorer

Side by side of Gaia software update lists. Original on left and Interim device on right

0 Kudos
G_W_Albrecht
Legend
Legend

It would be better to involve TAC - there are many pitfalls here, and over time, a lot of different errors did appear with migrate...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Stephen_Henihan
Explorer

Thanks for the tip. I think I'll actually abandon the migration/upgrade as it might be better to start with a clean setup. I'll go with another comment (actually made by you in another post) and just rebuild the setup manually. At least then I'll get a chance to review the implementation while I am rebuilding.

Appreciate your input.

S

0 Kudos
G_W_Albrecht
Legend
Legend

There is a valid point for such a decision - you will get rid of legacy configuration and can use the R80.10 enhancements like excluding rules from checking based on destination from the start.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Stephen_Henihan
Explorer

I have switched to using migration tools for Security Manager as version above was apparently for Endpoint.

http://downloads.checkpoint.com/dc/filedetails.htm?ID=41359&product=SmartCenter&version=R77&os=Gaia&... 

Regardless, same error in upgrade_import and error is still same in version of the migration utility linked here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events