AnsweredAssumed Answered

[Problem] R80.10 Policy Installation fails

Question asked by Jakub Rutynowski on Jun 1, 2017
Latest reply on Jun 1, 2017 by Tomer Sole



I have a virtual lab with Multi Domain Server with 3 domains:


Domain A (DMS1): VSX and virtual router
Domain B (DMS2): 2 virtual firewalls and R80.10
Domain C (DMS3): 1 virtual firewall


All other firewalls except of R88.10 are working fine.


R80.10, just basic installation:


GAiA 64bit standalone
Build 991310423
Branch name : hugo1
4gb memory
4 cores


[Expert@CPGW80-1:0]# df -kh
Filesystem Size Used Avail Use% Mounted on
19G 4.6G 13G 27% /
/dev/sda1 289M 24M 251M 9% /boot
tmpfs 1.9G 0 1.9G 0% /dev/shm
4.9G 350M 4.3G 8% /var/log


All licenses are in place and work fine.

The R80.10 gateway established SIC with its CMA, policy was created allowing any traffic.
Unfortunately, I can't install the basic policy and I get the error attached.


I did a fwm debug on DMS2 and found out this:

FWM 17116 4052629200]@mds-primary[1 Jun 8:40:41][] CLogFile::Open: Smart fflush enabled in log file
[FWM 17116 4052629200]@mds-primary[1 Jun 8:40:41][] pfopen: failed to open /opt/CPmds-R80/customers/DMS2/CPsuite-R80/fw1/conf/fwm.adtlog: No such file or directory
[FWM 17116 4052629200]@mds-primary[1 Jun 8:40:41][] CBinaryFile::Open: failed to open /opt/CPmds-R80/customers/DMS2/CPsuite-R80/fw1/conf/fwm.adtlog (For reading): No such file or directory


All CP processes are working and don't get stuck.

Also the command fwm -d shows the following:

[FWM 9612 4053010128]@mds-primary[1 Jun 9:45:08] CPPRODIS_init_error_logging_ex: initialized error logging for product 'FW1' application 'FWM'. Log file is not set.

From this command fw -d fetchlocal -d $FWDIR/state/__tmp/FW1 I get the following error:

[11882 4049438416]@mds-primary[1 Jun 9:48:08] Error opening file /opt/CPmds-R80/customers/DMS2/CPshrd-R80/database//authkeys.C:: No such file or directory

Running debugs gives me this:

fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + memory filter
fw ctl kdebug -f 1>> /var/log/debug.txt 2>> /var/log/debug.txt &
fw -d fetchlocal -d $FWDIR/state/__tmp/FW1 1>> /var/log/policydebug.txt 2>> /var/log/policydebug.txt
fw ctl debug 0
kill %1

[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] fw_cmi_loader_init: registering load_params hook
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] fwobj_obj_initmode: mode=3
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] fwobj_obj_initmode: MOD R/W mode (fwd?)
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] muting debug...
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] DEBUG: fwd_reload_database_file: Start
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] in fwd_reload_database(do_database=0, dir=database, fn=objects.C
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] fwobj_destroy_reference_hash: reference_resolving_hash_users<0
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] reference_resolving_hash created
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] CachedObject::SetObject: small size, modifying (0 --> 10)
[13905 4015409040]@CPGW80-1[1 Jun 10:00:07] CachedObject::CreateHash: Created internal hashtable, size: 10
Fetching Security Policy Failed

[13905 4015409040]@CPGW80-1[1 Jun 10:00:08] destroy_rand_mutex: destroy
[13905 4015409040]@CPGW80-1[1 Jun 10:00:08] cpKeyTaskManager::~cpKeyTaskManager: called.

Solution steps I've made so far:

1) Fetched initial policy from local host - works ok
2) Added the missing file fwm.adtlog in the path stated above - no luck
3) Recreated SIC succesfully - no luck
4) Recreated the gateway object with new name - no luck
5) Followed sk33893 and found some errors referring to missing files, but not straight to the issues described there.
6) Restarted Domain Management Server (DMS2) - no luck
7) Monitored GW and DMS processes - no signs of corruption

What I'm going to do:

1) Install new R80.10 Gateway and verify if the same issue occurs.


Did someone already see this policy installation problem?


Thank you.