Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NikFal
Contributor
Jump to solution

gaia GUI not reachable "failed to receive handshake, SSL/TLS connection failed"

Hello, 

after update to 81.20 Gaia Webui was accessible, all of a sudden and after a couple of days it is not accessible anymore. 
 
> show web ssl-port
web-ssl-port 443

2024-05-06 16_08_19-Window.png

2024-05-06 16_13_00-Window.png

2 Solutions

Accepted Solutions
NikFal
Contributor

For some odd reason, after restart the FW it did not work. 
So i tried AGAIN to change the port, and all of a sudden it works again. That was weird, and I could not really figure it out.
Now it works with a new port, but the question of why it stops to work on the default one. 
2024-05-07 09_48_27-lagadpsec01.png

View solution in original post

emmap
Employee
Employee

We have this article with a similar issue, suggests it's a cert problem. https://support.checkpoint.com/results/sk/sk115732

View solution in original post

19 Replies
the_rock
Legend
Legend

2 suggestions...try setting "though all interfaces", install policy

If that fails, try change port and make sure its allowed, as per below

Screenshot_1.png

Best, 

Andy

NikFal
Contributor

I already tried that, although i have a cluster over the appliances. but still did not work. 
I think it might be something with Cert. but don't know how to really check it out .

the_rock
Legend
Legend

Did you try another port?

Andy

NikFal
Contributor

yes that was the first suggestion in the first comment 

the_rock
Legend
Legend

So is port 443 now or custom? Can you send following -> clish -c "show web ssl-port"

Andy

NikFal
Contributor

it was 443 and change it to 4434 and nothing change

 

the_rock
Legend
Legend

K, so just to make sure I get the whole "picture" here...so nothing changed except fw was upgraded to R81.20? And then web UI worked for 2 days and all of a sudden it stopped?

Andy

PhoneBoy
Admin
Admin

Access the device via console, type "fw unloadlocal" and try again.
If this works, check the output of "cplic print" to see if you have a valid license.
If not, you'll need to generate a new evaluation license: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security... 

the_rock
Legend
Legend

Its just a bit odd it worked for 2 days after the upgrade...I believe even with initial policy, web UI will work if its on port 443.

Andy

PhoneBoy
Admin
Admin

Right, but unloading the policy makes sure it's not the issue.

the_rock
Legend
Legend

Thats true, worth a try.

NikFal
Contributor

I already have a lice. why this should be an issue? The FWs and cluster working fine but I cannot access the ui. 

NikFal
Contributor

I tried to unloadlocal policy and install policy again. did not work! Although as  i mentioned the firewalls working fine

emmap
Employee
Employee

You have the accessibility set to 'According to policy' - what rule are your inbound connections matching on? Is there anything useful in the FW logs?

NikFal
Contributor

it is going through the management interface according to the FW logs. And it is all Green. The Rule is there and working fine. 
 also in the 
httpd2_error _log

Tue May 07 08:43:19.048654 2024] [mpm_prefork:notice] [pid 5804] AH00169: caught SIGTERM, shutting down
[Tue May 07 08:43:25.457517 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue May 07 08:43:25.481826 2024] [so:warn] [pid 2504] AH01574: module setenvif_module is already loaded, skipping
[Tue May 07 08:43:25.481847 2024] [so:warn] [pid 2504] AH01574: module headers_module is already loaded, skipping
[Tue May 07 08:43:25.484948 2024] [core:warn] [pid 2504] AH00117: Ignoring deprecated use of DefaultType in line 421 of /web/conf/httpd2.conf.
AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 10.255.0.18. Set the 'ServerName' directive globally to suppress this message
[Tue May 07 08:43:25.485315 2024] [mime_magic:error] [pid 2504] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue May 07 08:43:25.488953 2024] [mpm_prefork:notice] [pid 2504] AH00163: CPWS/2.4.55 (Unix) OpenSSL/1.1.1w configured -- resuming normal operations
[Tue May 07 08:43:25.488989 2024] [core:notice] [pid 2504] AH00094: Command line: '/web/cpshared/web/Apache/2.2.0/bin/httpd2 -f /web/conf/httpd2.conf -D FOREGROUND'
[Tue May 07 08:43:26.489827 2024] [:error] [pid 2507] [client 127.0.0.1:54482] libwrap/mod_hosts_access: connection refused from 127.0.0.1 to httpd@127.0.0.1

 

emmap
Employee
Employee

Maybe check through this SK and see if anything helps - https://support.checkpoint.com/results/sk/sk91380

NikFal
Contributor

thnx but this is the first link that comes up when you google anything related to Gaia problem, so I went through it and thats why i posted the logs in my last answer

NikFal
Contributor

For some odd reason, after restart the FW it did not work. 
So i tried AGAIN to change the port, and all of a sudden it works again. That was weird, and I could not really figure it out.
Now it works with a new port, but the question of why it stops to work on the default one. 
2024-05-07 09_48_27-lagadpsec01.png

emmap
Employee
Employee

We have this article with a similar issue, suggests it's a cert problem. https://support.checkpoint.com/results/sk/sk115732

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events