Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Karel_Mate
Explorer

IPS Update failed after upgrade from R80.10 to R80.30

Jump to solution

Hi Sirs,

 

We are having issue on IPS update, right after we successfully migrated to new Open Server Appliance running R80.30 coming from R80.10, IPS Update is failing, We also tried updating using an offline update file but still failing. Connection to checkpoint is fine as well as the PC used on SmartConsole. Below is some output requested by the TAC who is handling the case.

 

[Expert@PSBANK-mgmt:0]# nslookup
> ^C[Expert@PSBANK-mgmt:0]# nslookup cws.checkpoint.com
Server: 10.11.25.4
Address: 10.11.25.4#53

Non-authoritative answer:
cws.checkpoint.com canonical name = wildcard-dual.checkpoint.com.edgekey.ne t.
wildcard-dual.checkpoint.com.edgekey.net canonical name = e14576.dscg.aka maiedge.net.
Name: e14576.dscg.akamaiedge.net
Address: 184.87.247.148

[Expert@PSBANK-mgmt:0]# curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https: //updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
* Trying 104.67.182.6...
* Connected to updates.checkpoint.com (104.67.182.6) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!aECDH:!EDH
* successfully set certificate verify locations:
* CAfile: /opt/CPshrd-R80.30/conf/ca-bundle.crt
CApath: none
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.checkpoint.com
* start date: Oct 31 20:24:10 2018 GMT
* expire date: Oct 31 20:24:10 2020 GMT
* subjectAltName: updates.checkpoint.com matched
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http:// certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.
* servercert: Finished
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Content-Length: 8
< Server: awselb/2.0
< Date: Tue, 18 Feb 2020 03:23:59 GMT
< Connection: keep-alive
<
* Connection #0 to host updates.checkpoint.com left intact
it works[Expert@PSBANK-mgmt:0]# curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.cr dl3.checkpoint.com
* Rebuilt URL to: https:dl3.checkpoint.com/
* getaddrinfo(3) failed for https:80
* Couldn't resolve host 'https'
* Closing connection 0
curl: (6) Couldn't resolve host 'https'
[Expert@PSBANK-mgmt:0]# curl_cli -v http://cws.checkpoint.com
* Rebuilt URL to: http://cws.checkpoint.com/
* Trying 184.87.247.148...
* Connected to cws.checkpoint.com (184.87.247.148) port 80 (#0)
< HTTP/1.1 200 OK
< Server: Apache
< Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
< Content-Type: text/html
< Date: Tue, 18 Feb 2020 03:24:34 GMT
< Content-Length: 44
< Connection: keep-alive
< X-Cache-Remote: TCP_REFRESH_HIT from a23-43-48-140.deploy.akamaitechnologies.c om (AkamaiGHost/9.8.5.1.1-27758809) (S)
<
* Connection #0 to host cws.checkpoint.com left intact

 

Thanks,

Karel Mate

0 Kudos
1 Solution

Accepted Solutions
Tomer_Kashayov
Employee
Employee

Hi, 

Fix include in R80.40

R80_30_jumbo take 163 and higher.

R80_20_jumbo take 143 and higher.

Or follow sk155052 to resolve. 

View solution in original post

9 Replies
_Val_
Admin
Admin

Might be related to sk155052. Look in cpm.elg file forAssertionError has been caught: found too many objects error

0 Kudos
Karel_Mate
Explorer

Thanks for the feedback, we'll check this tomorrow and see if this is the cause.

Regards.

0 Kudos
Maarten_Sjouw
Champion
Champion
Check on the SMS with the following command:
psql_client cpm postgres
select task.objid,displayname,creator,starttime,lastupdatetime,progresspercentage from tasknotification task, (select name,objid from domainbase_data where dlesession=0 and not deleted) cma where status = 0 and cma.objid = task.domainid and (displayname='Application Control & URL Filtering' or displayname='IPS Management Update');
\q
See if there is anything in 10% progresspercentage.
If so send me a PM and I will be able to link you to a TAC engineer I have been working with about this problem.
Regards, Maarten
0 Kudos
Karel_Mate
Explorer

Hi Maarten, 

Sure, will check this one also tomorrow, during my visit to the client and provide feedback here, Thanks,

 

Regards,

0 Kudos
Karel_Mate
Explorer

Saw this symptoms on the client's management server, already shown this to the TAC that's handling.

 

Thanks and Regards

0 Kudos
Bharat_Sudi
Explorer

Dear Karel & team,

 

We are facing a similar issue. can you help me out with some inputs.

What's the solution.

Thanks and Regards

Bharath

0 Kudos
Hasse_Haglund
Participant

Hi, 

We are facing the same issue as you did. Have you resolved it now or what is the status? 

0 Kudos
Tomer_Kashayov
Employee
Employee

Hi, 

Fix include in R80.40

R80_30_jumbo take 163 and higher.

R80_20_jumbo take 143 and higher.

Or follow sk155052 to resolve. 

View solution in original post

Karel_Mate
Explorer

Hi,

 

I just checked the sk155052, all symptoms on the cpm.elg was found on the client side, we requested the fix from the TAC. Or follow Sir Tomer Kashayov response on this trail.

 

Thanks,

Karel Mate

0 Kudos