Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fenoughty
Collaborator
Jump to solution

Failed to parse CP site response

In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.

Has anyone else seen this, anyone resolved it?

It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.

note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.

HeaderDateHour:  4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

and also:

HeaderDateHour:  1Feb2020  9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network;

 

1 Solution

Accepted Solutions
Angel_Ramirez
Participant

In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.

View solution in original post

51 Replies
G_W_Albrecht
Legend Legend
Legend

Looks like a RAD error - i would contact TAC to find the error and provide a fix.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
John_Fenoughty
Collaborator

Thanks fir the reply; what is a RAD error?

Does it seem likely that a ‘RAD error’ would occur on two entirely unrelated sites simultaneously?

Am I really the only person seeing these alerts?

Borut
Collaborator
Collaborator

You're not the only one. I have checked our logs and I also see these messages. 

They are almost exclusively related to URL shorteners (bit.ly, goo.gl,...) if that helps in any way.

The log also provides the path on the gateway, where additional debugging info can be found. Check if it contains anything useful. 

RAD: Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.

Timothy_Hall
Legend Legend
Legend

What Jumbo HFA are you using?  These new diagnostic messages may be related to the multithreading of the RAD daemon in take 107+, see sk163793 and p. 412 of the third edition of my book.  Diagnostics for this critical process were improved as well, so these messages now appearing are not necessarily indicative of a new problem.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
MartinTzvetanov
Advisor

I also hit a similar issue last night when I migrate a Full HA R77.20 to Distributed R80.30 with JHF 111 and IPS, Anti-bot and Anti-virus enabled. A log is generated every minute with Reason Failed to handle CP site request and a log file. Also the description is Error occur while accessing /sdktunnel. Today I found that almost all of the workers in the company has problem with slow browsing the Internet. There was no indication that the GW is under load or it's processing too much traffic. After disabling the Anti-bot and Anti-virus the browsing went smooth.  I still have other work to do to finish the migration and probably after that I will open a case with TAC.

 

sss.png

Angel_Ramirez
Participant

We have same issue. New clusterXL HA installation, R80.30 3.10 take 300 (JHF 140), with Antivirus & Antibot active blades...

 
 

2020-02-21 17_15_54-Log Details.png

Amir_Rehman
Contributor

Hey, 

 

Did anymore figure out about these goo.gl errors ? It generates hundreds of alerts through out the day.

I am running R80.30 with take 140.

 

 HeaderDateHour:  2Mar2020 12:59:15; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 726; Action: ctl; Origin: Xxxxx; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_15994_12677760 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

JohnFenoughty
Participant

I certainly did not find a solution yet. They are as Borut stated, always goo.gl and bit.ly type sites that are failing to parse.

It's clearly not an isolated issue for a single user, I have it on multiple sites

I might do a little debugging myself at some point, but if anyone from Check Point knows why this has suddenly started happening it would be good to know!

MartinTzvetanov
Advisor

Hello,

I believe it's a problem with categorization of the resource - RAD can't do it properly and cause CPU consumption and slowness of the Internet traffic.

My next steps to check are first try this:

Capture.JPG

 

and then in Threat prevention policy there is something called Indicators and my point is to try to add my resource and play with Inactive and Detect mode and see what will happen.

 

I'm pretty sure in both cases it will still generate a lot of logs but I have to try.

0 Kudos
TP_Master
Employee
Employee
Hey Martin,
We will look into this. Did you open a case with TAC by any chance? what is the SR #?
MartinTzvetanov
Advisor

Hi @TP_Master , not yet.

 

I'll be at the customer's site this week and will do some debugs and maybe I'll open a case.

0 Kudos
Eric_Merillat
Contributor

I am having the same issue at a customer site.  R80.30 JHF Take 140.  I will have them open a TAC case tomorrow on this.  We have a migration this afternoon so no time for troubleshooting this.

Angel_Ramirez
Participant

In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.

MartinTzvetanov
Advisor

What debug did you run during the chat with the support? I believe next week I will have to open a case with the support but the system is in production and don't want to interrupt the traffic to do few debugs one at a time so I want to be maximum prepared with all the needed info.

0 Kudos
Angel_Ramirez
Participant

I have been requested to send certain log files, in order to analyze them, without service stops

0 Kudos
ak4020
Contributor

good day, we have the same problem with r80.40 and just opened a case for half a week. br alois

Albin_Petersson
Contributor

We've had these since upgrading to R80.30. From the info we got there's no solution, but it will be fixed in some future hotfix. 

it sucks that the system alert logging is flooded due to this.

ak4020
Contributor
hi, we still had the same problem with r80.30 and even worse with secure xl / dns, cpu load. we solved the problem - we changed the manufacturer.we are very disappointed with the checkpoint since r80x it is no longer enterprise but beta software and support is a disaster.cheers lois
Steve_Pearson
Contributor

We're seeing the same problems here on R80.20

0 Kudos
ak4020
Contributor
we also had the same problems with 80.40 and the support left us completely in the lurch, so as I said, solved by changing the manufacturer
David_C1
Advisor

We have same issue with R80.20 JHFA Take 134. The numbers jumped today when we updated our protected scope for the Ant-Bot blade (it was already enabled but today we "applied" it to monitor more sources.). Every URL I've seen in the errors are bit.ly.

The lack of information on Secure Knowledge is disappointing. This is obviously not an isolated issue.

Dave

0 Kudos
John_Fenoughty
Collaborator

Yes @David_C1 we are still seeing this on multiple sites. Just this morning in fact for one.

 

 HeaderDateHour: 17Jun2020  9:11:31; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 15; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:bit.ly; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8549_24718 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

This site is R80.30 Hotfix 111

I think I've seen it on R80.40 too but not this week.

0 Kudos
MartinTzvetanov
Advisor

Yes, I also observe it on R80.40. 

 

The error message I see in R80.40 is a bit different, but the effect is the same - slow browsing to some sites: Error occur while xxxx.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.40/fw1/log/rad_events/Errors/flow_15870_127341 For more details; severity: 3; ProductName:

 and is observed with Anti-bot, Anti-malware and URL filtering.

 

 

0 Kudos
vlkntastan
Explorer
Explorer

Hi,

 

I opened to chat about this issue and support advised ongoing Take_210 Jumbo Hotfix. Maybe you can try to install and check it.

 

Regards.

0 Kudos
KS
Contributor

Hello

 

Did installing JHF210 solved our problem.

We are fighting with that for some time, but still without success.

We did got some custom hw_wrapper for JHF191 but tat ended up with GW crashes and we had to uninstall it. 

Now we have 196 but problem still persist,

 

K.

0 Kudos
Paul_Stephenson
Contributor

Hi,

We get a few of these alerts daily from our HA internet cluster. Currently R80.30 Build 200 however we have seen this issue for months now on various R80.30 builds.

Websites are usually goo.gl but can be bit.ly, akamaiedge and more recently a lot of WebEx. They can be individual or in a group of 2-3, sometimes more but usually just a handful.

 HeaderDateHour: 12Jul2020  4:13:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:cisco.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1186022 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 12Jul2020  4:12:12; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 5; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:e4343.x.akamaiedge.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185996 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 12Jul2020  4:08:43; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:async.zoom.us; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185920 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 11Jul2020 14:52:24; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:limited-prod.giphy.map.fastly.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1163257 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Ne twork;

 

More concerning was a recently alert referencing one of our own internet addresses.

 

Cheers,

Paul.

0 Kudos
Paul_Stephenson
Contributor

5 more emails fresh in.

 

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243206 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 14; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243207 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:d8rk54i4mohrb.cloudfront.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243211 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network ;

 HeaderDateHour: 13Jul2020 10:31:50; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 9; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:9772e8e882bb9041133b6abea710b0fa.safeframe.googlesyndication.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243221 For more details; severity: 3; ProductName: A nti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:32:03; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243227 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:04; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ezodn.com/detroitchicago/boise.js?gcb=188-1&cb=1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243250 For more details; severity: 3; ProductName: Anti Malware; Pr

oductFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:05; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ce.lijit.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243265 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:32:18; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 28; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net/detroitchicago/audins.js?cb=188-1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243289 For more details; severity: 3; ProductName: Anti Malware; Prod

uctFamily: Network;

 HeaderDateHour: 13Jul2020 10:32:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:edge.quantserve.com/quant.js; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243295 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Networ k;

 

---

 HeaderDateHour: 13Jul2020 10:32:25; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:ct.pinterest.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243313 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 

---

 HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 21; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243368 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

 HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243369 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;

0 Kudos
MartinTzvetanov
Advisor
any performance impact? high cpu usage of RAD process ?
0 Kudos
Paul_Stephenson
Contributor

I do not know what the RAD processes are or how to check it's utilisation. ssh in and use TOP or is there some other tool more specifically designed for that?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events