- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: gaia GUI not reachable "failed to receive han...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"
Hello,
after update to 81.20 Gaia Webui was accessible, all of a sudden and after a couple of days it is not accessible anymore.
> show web ssl-port
web-ssl-port 443
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some odd reason, after restart the FW it did not work.
So i tried AGAIN to change the port, and all of a sudden it works again. That was weird, and I could not really figure it out.
Now it works with a new port, but the question of why it stops to work on the default one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have this article with a similar issue, suggests it's a cert problem. https://support.checkpoint.com/results/sk/sk115732
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 suggestions...try setting "though all interfaces", install policy
If that fails, try change port and make sure its allowed, as per below
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already tried that, although i have a cluster over the appliances. but still did not work.
I think it might be something with Cert. but don't know how to really check it out .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try another port?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes that was the first suggestion in the first comment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is port 443 now or custom? Can you send following -> clish -c "show web ssl-port"
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it was 443 and change it to 4434 and nothing change
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, so just to make sure I get the whole "picture" here...so nothing changed except fw was upgraded to R81.20? And then web UI worked for 2 days and all of a sudden it stopped?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access the device via console, type "fw unloadlocal" and try again.
If this works, check the output of "cplic print" to see if you have a valid license.
If not, you'll need to generate a new evaluation license: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its just a bit odd it worked for 2 days after the upgrade...I believe even with initial policy, web UI will work if its on port 443.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, but unloading the policy makes sure it's not the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats true, worth a try.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already have a lice. why this should be an issue? The FWs and cluster working fine but I cannot access the ui.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to unloadlocal policy and install policy again. did not work! Although as i mentioned the firewalls working fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the accessibility set to 'According to policy' - what rule are your inbound connections matching on? Is there anything useful in the FW logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is going through the management interface according to the FW logs. And it is all Green. The Rule is there and working fine.
also in the
httpd2_error _log
Tue May 07 08:43:19.048654 2024] [mpm_prefork:notice] [pid 5804] AH00169: caught SIGTERM, shutting down [Tue May 07 08:43:25.457517 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic [Tue May 07 08:43:25.481826 2024] [so:warn] [pid 2504] AH01574: module setenvif_module is already loaded, skipping [Tue May 07 08:43:25.481847 2024] [so:warn] [pid 2504] AH01574: module headers_module is already loaded, skipping [Tue May 07 08:43:25.484948 2024] [core:warn] [pid 2504] AH00117: Ignoring deprecated use of DefaultType in line 421 of /web/conf/httpd2.conf. AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 10.255.0.18. Set the 'ServerName' directive globally to suppress this message [Tue May 07 08:43:25.485315 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic [Tue May 07 08:43:25.488953 2024] [mpm_prefork:notice] [pid 2504] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1w configured -- resuming normal operations [Tue May 07 08:43:25.488989 2024] [core:notice] [pid 2504] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND' [Tue May 07 08:43:26.489827 2024] [:error] [pid 2507] [client 127.0.0.1:54482] libwrap/mod_hosts_access: connection refused from 127.0.0.1 to httpd@127.0.0.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe check through this SK and see if anything helps - https://support.checkpoint.com/results/sk/sk91380
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thnx but this is the first link that comes up when you google anything related to Gaia problem, so I went through it and thats why i posted the logs in my last answer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some odd reason, after restart the FW it did not work.
So i tried AGAIN to change the port, and all of a sudden it works again. That was weird, and I could not really figure it out.
Now it works with a new port, but the question of why it stops to work on the default one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have this article with a similar issue, suggests it's a cert problem. https://support.checkpoint.com/results/sk/sk115732