- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Failed to parse CP site response
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failed to parse CP site response
In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.
Has anyone else seen this, anyone resolved it?
It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.
note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.
HeaderDateHour: 4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
and also:
HeaderDateHour: 1Feb2020 9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network;
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like a RAD error - i would contact TAC to find the error and provide a fix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks fir the reply; what is a RAD error?
Does it seem likely that a ‘RAD error’ would occur on two entirely unrelated sites simultaneously?
Am I really the only person seeing these alerts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're not the only one. I have checked our logs and I also see these messages.
They are almost exclusively related to URL shorteners (bit.ly, goo.gl,...) if that helps in any way.
The log also provides the path on the gateway, where additional debugging info can be found. Check if it contains anything useful.
RAD: Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What Jumbo HFA are you using? These new diagnostic messages may be related to the multithreading of the RAD daemon in take 107+, see sk163793 and p. 412 of the third edition of my book. Diagnostics for this critical process were improved as well, so these messages now appearing are not necessarily indicative of a new problem.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also hit a similar issue last night when I migrate a Full HA R77.20 to Distributed R80.30 with JHF 111 and IPS, Anti-bot and Anti-virus enabled. A log is generated every minute with Reason Failed to handle CP site request and a log file. Also the description is Error occur while accessing /sdktunnel. Today I found that almost all of the workers in the company has problem with slow browsing the Internet. There was no indication that the GW is under load or it's processing too much traffic. After disabling the Anti-bot and Anti-virus the browsing went smooth. I still have other work to do to finish the migration and probably after that I will open a case with TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have same issue. New clusterXL HA installation, R80.30 3.10 take 300 (JHF 140), with Antivirus & Antibot active blades...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
Did anymore figure out about these goo.gl errors ? It generates hundreds of alerts through out the day.
I am running R80.30 with take 140.
HeaderDateHour: 2Mar2020 12:59:15; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 726; Action: ctl; Origin: Xxxxx; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_15994_12677760 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I certainly did not find a solution yet. They are as Borut stated, always goo.gl and bit.ly type sites that are failing to parse.
It's clearly not an isolated issue for a single user, I have it on multiple sites
I might do a little debugging myself at some point, but if anyone from Check Point knows why this has suddenly started happening it would be good to know!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I believe it's a problem with categorization of the resource - RAD can't do it properly and cause CPU consumption and slowness of the Internet traffic.
My next steps to check are first try this:
and then in Threat prevention policy there is something called Indicators and my point is to try to add my resource and play with Inactive and Detect mode and see what will happen.
I'm pretty sure in both cases it will still generate a lot of logs but I have to try.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We will look into this. Did you open a case with TAC by any chance? what is the SR #?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @TP_Master , not yet.
I'll be at the customer's site this week and will do some debugs and maybe I'll open a case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same issue at a customer site. R80.30 JHF Take 140. I will have them open a TAC case tomorrow on this. We have a migration this afternoon so no time for troubleshooting this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case, I openend a support case with Check Point, and according to the investigation, they are working on a bundle fix for the RAD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What debug did you run during the chat with the support? I believe next week I will have to open a case with the support but the system is in production and don't want to interrupt the traffic to do few debugs one at a time so I want to be maximum prepared with all the needed info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been requested to send certain log files, in order to analyze them, without service stops
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good day, we have the same problem with r80.40 and just opened a case for half a week. br alois
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've had these since upgrading to R80.30. From the info we got there's no solution, but it will be fixed in some future hotfix.
it sucks that the system alert logging is flooded due to this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're seeing the same problems here on R80.20
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have same issue with R80.20 JHFA Take 134. The numbers jumped today when we updated our protected scope for the Ant-Bot blade (it was already enabled but today we "applied" it to monitor more sources.). Every URL I've seen in the errors are bit.ly.
The lack of information on Secure Knowledge is disappointing. This is obviously not an isolated issue.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes @David_C1 we are still seeing this on multiple sites. Just this morning in fact for one.
HeaderDateHour: 17Jun2020 9:11:31; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 15; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:bit.ly; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8549_24718 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
This site is R80.30 Hotfix 111
I think I've seen it on R80.40 too but not this week.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I also observe it on R80.40.
The error message I see in R80.40 is a bit different, but the effect is the same - slow browsing to some sites: Error occur while xxxx.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.40/fw1/log/rad_events/Errors/flow_15870_127341 For more details; severity: 3; ProductName:
and is observed with Anti-bot, Anti-malware and URL filtering.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I opened to chat about this issue and support advised ongoing Take_210 Jumbo Hotfix. Maybe you can try to install and check it.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Did installing JHF210 solved our problem.
We are fighting with that for some time, but still without success.
We did got some custom hw_wrapper for JHF191 but tat ended up with GW crashes and we had to uninstall it.
Now we have 196 but problem still persist,
K.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We get a few of these alerts daily from our HA internet cluster. Currently R80.30 Build 200 however we have seen this issue for months now on various R80.30 builds.
Websites are usually goo.gl but can be bit.ly, akamaiedge and more recently a lot of WebEx. They can be individual or in a group of 2-3, sometimes more but usually just a handful.
HeaderDateHour: 12Jul2020 4:13:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:cisco.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1186022 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 12Jul2020 4:12:12; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 5; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:e4343.x.akamaiedge.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185996 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 12Jul2020 4:08:43; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:async.zoom.us; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1185920 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 11Jul2020 14:52:24; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:limited-prod.giphy.map.fastly.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1163257 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Ne twork;
More concerning was a recently alert referencing one of our own internet addresses.
Cheers,
Paul.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 more emails fresh in.
HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243206 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 14; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:cdn.rebel.ai; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243207 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 13Jul2020 10:31:48; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:d8rk54i4mohrb.cloudfront.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243211 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network ;
HeaderDateHour: 13Jul2020 10:31:50; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 9; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:9772e8e882bb9041133b6abea710b0fa.safeframe.googlesyndication.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243221 For more details; severity: 3; ProductName: A nti Malware; ProductFamily: Network;
---
HeaderDateHour: 13Jul2020 10:32:03; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 17; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243227 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 13Jul2020 10:32:04; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 13; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ezodn.com/detroitchicago/boise.js?gcb=188-1&cb=1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243250 For more details; severity: 3; ProductName: Anti Malware; Pr
oductFamily: Network;
HeaderDateHour: 13Jul2020 10:32:05; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:ce.lijit.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243265 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
---
HeaderDateHour: 13Jul2020 10:32:18; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 28; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:go.ezoic.net/detroitchicago/audins.js?cb=188-1; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243289 For more details; severity: 3; ProductName: Anti Malware; Prod
uctFamily: Network;
HeaderDateHour: 13Jul2020 10:32:19; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 12; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:edge.quantserve.com/quant.js; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243295 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Networ k;
---
HeaderDateHour: 13Jul2020 10:32:25; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 6; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while acc essing:ct.pinterest.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243313 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
---
HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 21; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243368 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
HeaderDateHour: 13Jul2020 10:33:49; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 22; Action: ctl; Origin: XXX; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while ac cessing:nebulaaa9.webex.com; reason: Failed to fetch CP Site Resource. Timeout was reached, check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_11080_1243369 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not know what the RAD processes are or how to check it's utilisation. ssh in and use TOP or is there some other tool more specifically designed for that?