Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Problem with SNX

Hi,

I did fresh install on a 1470 appliance and then put it in central management. Everything is fine except that when I try to access SNX site the following error appears:

The resource is temporarily unavailable

To connect to SNX, try to refresh in a few minutes.

I found SK98112 that talks about the same error but first my case is not the same because there is no NAT involved and second even when I tried to flip appliance in local and then back to central management it still did not worked. I tried to disable/enable SNX in policy but that did not help as well. 

Any idea how to fix this issue ? 

0 Kudos
26 Replies
G_W_Albrecht
Legend
Legend

I have found sk100319 SNX temporarily unavailable for this issue.

CCSE CCTE CCSM SMB Specialist
HristoGrigorov

Thanx a lot. I wonder how I could not find this SK myself...

Anyway, I logged into the appliance and extender/ folder is 64K and not 15MB as stated in this same SK. There is Internet connection for sure. I wonder why it does not want to download it. Is the SNX distributive available somewhere to download it manually ?

0 Kudos
G_W_Albrecht
Legend
Legend

You can find the path here to download by WinSCP: sk65683 SSL Network Extender Manual Deployment from R75.20 Security Gateway to Windows 7 standard user

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

You can also download from another unit, of course

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Yeah, it seems I'll have to do that on Monday because sadly the other SK requires Enterprise Support access. I have never ran into this problem while the appliance was locally managed. It started right after I switched it to central management. 

0 Kudos
G_W_Albrecht
Legend
Legend

Install file should be updated upon policy install

sk: 

       Download the file from the Gateway under $CVPNDIR/htdocs/SNX/CSHELL/extender.cab                    (the SNXComponentsShell.msi located in the extender.cab file) and use windows GPO for deployment.

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

That does not seem to be applicable for Gaia Embedded. There is no such path there.

0 Kudos
G_W_Albrecht
Legend
Legend

Do a find / -name for extender.cab                   

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

I tried both:

find / -name extender.cab 

and

find / -name *.cab

And nothing was found. I have also scanned log file and found nothing about failure to download SNX server side package. There is the content of /storage/extender at the moment:

-rwxrwxrwx 1 root root 5335 Jul 29 2015 cookies.js
-rwxr-x--- 1 root root 8573 Aug 25 2013 login_f.htt
-rwxr-x--- 1 root root 8017 Aug 25 2013 login_invalid_cert.htt
-rwxr-x--- 1 root root 3039 Aug 25 2013 not_authorized.htt
-rwxr-x--- 1 root root 9180 Aug 25 2013 registration.htt
-rwxr-x--- 1 root root 9159 Aug 25 2013 registration_invalid_cert.htt
-rwxr-x--- 1 root root 5938 Aug 25 2013 user_interaction.htt

0 Kudos
G_W_Albrecht
Legend
Legend

The name should be enclosed in single quotes. But     You should try another GW for this, i think snx is missing from this unit

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Well, I did just that but I flipped the second appliance from central to local management. After few minutes extender package was downloaded and installed. I copied it to the problematic appliance and voilaaaa it works again. 

Package was download from one of the CheckPoint servers but the URL does appear to be a temporary one. Size is approximately 39MB.

Why this does not work in central mode remains mystery to me but I don't have the time now to tackle this with CP support.

Thanx a lot for your support!

0 Kudos
G_W_Albrecht
Legend
Legend

I will try this on my 1200R

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Just reset to defaults from appliance button and on FTCW go straight to central management. Enable SNX and install policy. It may very well work for you. 

0 Kudos
G_W_Albrecht
Legend
Legend

I just experienced the issue you had on my 1200R:

- 1200R is centrally managed

.- verified that SNX VPN clients are enabled

- SNX page showed the message

The resource is temporarily unavailable

- waiting did not change the message displayed

- WinSCP showed a very small /storage/extender directory without .cabs

- after copying the extender directory from my 730 SNX worked as expected on the 1200R centrally managed

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Not the news I was hoping to hear. I was thinking it is something wrong I did in transitioning from local to central management but apparently it is a real issue that needs to be addressed by CheckPoint. 

0 Kudos
G_W_Albrecht
Legend
Legend

I did mention this circumstance in a feedback to sk100319 SNX temporarily unavailable - TAC would have been more appropriate, but i had a first try this way...

CCSE CCTE CCSM SMB Specialist
HristoGrigorov

Well, I have engaged TAC and opened new SR about this. I'll keep you posted on how it is going on.

0 Kudos
HristoGrigorov

Reply from support:

While I was working on this case, I found that you made some progress on checkpointmate.

 

As you memtioned on checkpointmate, you have 64k on extender folder, so the file is missing.

 

What I will do for next step, I will make same enviroment as you have right now, then  I will copy the missing file you have and provide for you.

 

Before doint that, I need some time to set up and test it.

0 Kudos
HristoGrigorov

My reply:

Hi,

 

As mentioned in this thread I already solved the problem by using another appliance in local mode to download SNX distributive and move it to the problematic one.

 

I have opened this SR for you to forward it to development so that problem is fixed permanently.

 

It is not acceptable to have appliance in central mode with not working SNX Extender.

 

Mind you that this problem is not local, it was confirmed by another CheckMate buddy.

 

0 Kudos
HristoGrigorov

Reply from support:

I would like to know if you have made any progress on this issue or if you need further assistance. If you need any further clarifications please let me know and I will be glad to assist.

 

If you are waiting for a maintenance window or know you will not be able to actively work on the Service Request for several days, please let me know the date when you would like me to follow up with you regarding the status of this Service Request.

0 Kudos
HristoGrigorov

As I mentioned in another thread engaging TAC is heavy time consuming procedure. Now you see why. I mean, come on TAC... are you kidding me ?!?

0 Kudos
G_W_Albrecht
Legend
Legend

It is not always so easy to handle TAC 😉

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

There is the reply. If TAC is not the right way to report bugs then what it is?

Sorry for the previous email, Sent the wrong one.

 

Thanks for bringing this to our attention, I will definately notice R&D department to fix this issue permanently.

 

However, this SR is a case for TAC engineers to troubleshoot, do you mind if I close the case?

0 Kudos
G_W_Albrecht
Legend
Legend

Now, R & D will start working on resolving the issue in the next firmware version 😉 But sounds as if this was not the first occurence at all. Closing the SR is o.k. as we already know the workaround and a fixed version will take some time...

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

My feedback on sk100319 SNX temporarily unavailable did produce an answer:

This sk article is not relevant for R77.20.X for Gaia Embedded

That may well be, but then, this sounds like a bug without an sk...

CCSE CCTE CCSM SMB Specialist
0 Kudos
HristoGrigorov

Even if there is SK it is still a bug. Smiley Happy

Let's hope my SR was actually forwarded to R&D and that they will fix it in further release.

0 Kudos