Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maciej
Explorer

Failed to update Data Center server objects on gateway Azure-Production--checkpoint

Hi CheckMates,

First I would like to show my deep appreciation by saying "Thank you" to all forum contributors. It's my first post but only because all the informations I was seeking for were already here or in SK's. Up to this day 😉 

So without further ado.

For LAB purpouses I've configured VMSS with Management in the Azure Cloud and configured Azure-VSEC Data Centre connection. I've followed CloudGuard Controller AdminGuide step-by-step.

It seems that it works perfect as it automatically updates objects in the management database and few seconds later on the security gateways but in logs I see the following error:

Failed to update Data Center server objects on gateway Azure-Production--checkpointFW_3--VMSS_CHECKPOINT. If issue persists contact Check Point Support.

It appears only when I use Data Center objects somewhere in the policy. 

I wanted to troubleshoot the problem so I've run some tail -f in $FWDIR/log/ on the management server. In the meantime I've changed the IP of linux machine (kalilinux) to 10.0.20.11.  It shows the following:

cpm.elg

02/09/19 22:20:30,953 INFO objects.cloud_shadow_objects.CloudOverviewObjectFactoryImpl [taskScheduler-6]: Creating overview object for: CloudShadowObject{cloudId='1a69f475-0856-47d6-ae76-064ec0ecb0c4', cmsUid=5529580e-5a0f-483e-97a0-bebcafcc9283, cloudType=VM, innerObjectType='Virtual Machine', hasChildren=false, dynamicProperties=[10.0.20.11, , /Network by Subscriptions/Free Trial/Virtual Networks/VMSS-Checkpoint (checkpoint-management)/Virtual Machines, , West Europe], dynamicPropertiesNames=[IP, Note, URI, Tags, Location], ipaddr='10.0.20.11', state=0, dataCenterTimeStamp=Mon Sep 02 22:20:02 UTC 2019, cloudName='kalilinux (linuxnet)', checksum='85A060E5334BB4C149BD45A1EBF8C5E1', canImport=false, previouslyExisted=false}

cloud_proxy.elg

02/09/19 22:20:55,142 ERROR IDA.requests.IDARequestsSender [Thread-16]: Error while attempt to connect to server: 10.0.2.6 (this is the IP of one of the security gateways)

com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/' (code 47)): maybe a (non-standard) comment? (not recognized as one since Feature 'ALLOW_COMMENTS' not enabled for parser)

 at [Source: /tmp/vsecUpdate.sh: line 19: warning: here-document at line 4 delimited by end-of-file (wanted `EOF'){   "responses" : [      {         "ipv4-address" : "10.0.20.11",         "message" : "Association sent to PDP."      }   ]}; line: 1, column: 2]

        at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1486)

        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:518)

        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:447)

        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipComment(ReaderBasedJsonParser.java:1937)

        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd2(ReaderBasedJsonParser.java:1912)

        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:1863)

        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:571)

        at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3600)

        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3545)

        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2576)

        at com.cp.enforcement_updater.common.JsonTools.getJsonFromString(JsonTools.java:11)

        at com.cp.enforcement_updater.IDA.api.IDACpridRequestSenderClient.sendAddRequests(IDACpridRequestSenderClient.java:16)

        at com.cp.enforcement_updater.IDA.requests.IDARequestsSender.sendIDAAddRequests(IDARequestsSender.java:4)

        at com.cp.enforcement_updater.IDA.requests.IDARequestsSender.sendRequests(IDARequestsSender.java:10)

        at com.cp.enforcement_updater.DomainEnforcementUpdater.generateAndSendRequests(DomainEnforcementUpdater.java:175)

        at com.cp.enforcement_updater.DomainEnforcementUpdater.sendUpdatesToTargets(DomainEnforcementUpdater.java:55)

        at com.cp.enforcement_updater.DomainEnforcementUpdater.run(DomainEnforcementUpdater.java:178)

 

The same message appears on the second gateway. Nevertheless the rule on the security gateway is automaticaly updated and works.

Have you ever experienced a similiar behaviour or have seen this error? Is it something I need be worry before going production or its a known bug. Maybe I've done some misconfiguration and with your help I will be able to find it. 

Some details:

I run default configuration R80.20 deployment with two loadbalancers in frontend and backend. Management is in the same VNET but different subnet. For testing rule any any allow. Default security groups created by template. I've checked Identity Awareness settings by configuring it manually and adding -ia to autoprov-cfg template. No changes.

Thank you in Advance for any suggestions 🙂

Best Regards,

Maciej

 

 

 

 

 

 

 

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.