- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi all.
Autoprovision/CME for my new AWS scaleset has been failing resulting in a total inability to provision new instances. For whatever reason immediately after installing the restrictive policy, provisioning decides it wants to reset the instance and part of that seems to be deleting the object. A portion of that deletion attempt involves iterating over VPN communities to make sure the gateway is not mentioned and that activity is causing a stack trace.
cme.log gives me an incident number that when examined in api.elg shows the "show-vpn-communities-star" command is returning an invalid reply for "DH-Group".
I checked my communities using show-vpn-community-star and every community where I have group 24 for Phase 1 causes the API to fail to print output due to our ever popular friend "generic internal error":
[Expert@Management:0]# !121
mgmt_cli show vpn-community-star name "TestCommunity" -s id.txt
code: "generic_internal_error"
message: "Internal error. For more info search for incident [e9ce7b8c-a916-467f-963a-b81a1cd490db] in log file"
Trying to change the Diffie Hellman group to 24 via mgmt_cli fails telling me it isn't a valid parameter:
[Expert@Management:0]# mgmt_cli set vpn-community-star name "TestCommunity" ike-phase-1.diffie-hellman-group "group-24" -s id.txt
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [diffie-hellman-group]. The invalid value [group-24] should be replaced by one of the following values: [group-1, group-2, group-5, group-14, group-19, group-20]"
Checking API reference version 1.8 doesn't mention group 24 as an option either.
Well, it's certainly an option in SmartConsole.
Changing the DH to one of the mentioned groups allows the command to succeed. However I have many, many communities using group 24 and having to change all of them and coordinate with the 3rd party vendors is asking for ulcers.
I don't know why the autoprovision process is deciding to reset/delete the instance immediately after installing the restrictive policy, but its led me here in my troubleshooting so I need to get around it.
Thoughts?
Hi all.
Dug around some more, posting this for any future folks who might get this error.
Looks like group 24 is not a default DH group that SmartConsole will let you use. You have to follow sk27054 to add it manually to the database for use within your communities.
Whoever the previous administrator was for this Management server, they added that DH group for various tunnels. Adding it to the database is fine for SmartConsole but it seems the Management API is not aware of that addition, so it's going off the default list of approved DH groups.
The solution is to change any place you use DH Group 24 to something else. If you can't do that, you'd have to open a support ticket and see what they can do, if anything. I have a feeling I am going to get the old "unsupported config, go away." but we will see.
Perhaps change the group to something default, publish, let the autoprovisioning complete and then just put the group back to 24? Hopefully won't do anything weird when CME iterates over the instances again. You'll be out of luck with any autoscale events though.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY