Solved: IPS Update failed after upgrade from R80.10 to R80...

Karel_Mate · ‎2020-03-08

Hi Sirs,

We are having issue on IPS update, right after we successfully migrated to new Open Server Appliance running R80.30 coming from R80.10, IPS Update is failing, We also tried updating using an offline update file but still failing. Connection to checkpoint is fine as well as the PC used on SmartConsole. Below is some output requested by the TAC who is handling the case.

[Expert@PSBANK-mgmt:0]# nslookup
> ^C[Expert@PSBANK-mgmt:0]# nslookup cws.checkpoint.com
Server: 10.11.25.4
Address: 10.11.25.4#53

Non-authoritative answer:
cws.checkpoint.com canonical name = wildcard-dual.checkpoint.com.edgekey.ne t.
wildcard-dual.checkpoint.com.edgekey.net canonical name = e14576.dscg.aka maiedge.net.
Name: e14576.dscg.akamaiedge.net
Address: 184.87.247.148

[Expert@PSBANK-mgmt:0]# curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https: //updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
* Trying 104.67.182.6...
* Connected to updates.checkpoint.com (104.67.182.6) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!aECDH:!EDH
* successfully set certificate verify locations:
* CAfile: /opt/CPshrd-R80.30/conf/ca-bundle.crt
CApath: none
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Tue Feb 18 11:23:56 2020
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.checkpoint.com
* start date: Oct 31 20:24:10 2018 GMT
* expire date: Oct 31 20:24:10 2020 GMT
* subjectAltName: updates.checkpoint.com matched
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http:// certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.
* servercert: Finished
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Content-Length: 8
< Server: awselb/2.0
< Date: Tue, 18 Feb 2020 03:23:59 GMT
< Connection: keep-alive
<
* Connection #0 to host updates.checkpoint.com left intact
it works[Expert@PSBANK-mgmt:0]# curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.cr dl3.checkpoint.com
* Rebuilt URL to: https:dl3.checkpoint.com/
* getaddrinfo(3) failed for https:80
* Couldn't resolve host 'https'
* Closing connection 0
curl: (6) Couldn't resolve host 'https'
[Expert@PSBANK-mgmt:0]# curl_cli -v http://cws.checkpoint.com
* Rebuilt URL to: http://cws.checkpoint.com/
* Trying 184.87.247.148...
* Connected to cws.checkpoint.com (184.87.247.148) port 80 (#0)
< HTTP/1.1 200 OK
< Server: Apache
< Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
< Content-Type: text/html
< Date: Tue, 18 Feb 2020 03:24:34 GMT
< Content-Length: 44
< Connection: keep-alive
< X-Cache-Remote: TCP_REFRESH_HIT from a23-43-48-140.deploy.akamaitechnologies.c om (AkamaiGHost/9.8.5.1.1-27758809) (S)
<
* Connection #0 to host cws.checkpoint.com left intact

Thanks,

Karel Mate

Tomer_Kashayov · ‎2020-06-16

Hi,

Fix include in R80.40

R80_30_jumbo take 163 and higher.

R80_20_jumbo take 143 and higher.

Or follow sk155052 to resolve.

View solution in original post

_Val_ · ‎2020-03-09

Might be related to sk155052. Look in cpm.elg file forAssertionError has been caught: found too many objects error

Karel_Mate · ‎2020-03-09

Thanks for the feedback, we'll check this tomorrow and see if this is the cause.

Regards.

Maarten_Sjouw · ‎2020-03-09

Check on the SMS with the following command:
psql_client cpm postgres
select task.objid,displayname,creator,starttime,lastupdatetime,progresspercentage from tasknotification task, (select name,objid from domainbase_data where dlesession=0 and not deleted) cma where status = 0 and cma.objid = task.domainid and (displayname='Application Control & URL Filtering' or displayname='IPS Management Update');
\q
See if there is anything in 10% progresspercentage.
If so send me a PM and I will be able to link you to a TAC engineer I have been working with about this problem.

Regards, Maarten

Karel_Mate · ‎2020-03-09

Hi Maarten,

Sure, will check this one also tomorrow, during my visit to the client and provide feedback here, Thanks,

Regards,

Karel_Mate · ‎2020-03-12

Saw this symptoms on the client's management server, already shown this to the TAC that's handling.

Thanks and Regards

Bharat_Sudi · ‎2020-05-27

Dear Karel & team,

We are facing a similar issue. can you help me out with some inputs.

What's the solution.

Thanks and Regards

Bharath

Hasse_Haglund · ‎2020-06-12

Hi,

We are facing the same issue as you did. Have you resolved it now or what is the status?

Tomer_Kashayov · ‎2020-06-16

Hi,

Fix include in R80.40

R80_30_jumbo take 163 and higher.

R80_20_jumbo take 143 and higher.

Or follow sk155052 to resolve.

Karel_Mate · ‎2020-06-16

Hi,

I just checked the sk155052, all symptoms on the cpm.elg was found on the client side, we requested the fix from the TAC. Or follow Sir Tomer Kashayov response on this trail.

Thanks,

Karel Mate

Are you a member of CheckMates?

IPS Update failed after upgrade from R80.10 to R80.30