SofaWare Management Server (SMS)

[Mendax]

I've been trying to debug the SMS service on our R60 SmartCenter server using a document I found on SecureKnowledge (Understanding SofaWare Management Modules).
According to the document it states that the SMS can be started in debug mode by issuing the command 'SMS -confdir $FWDIR/conf/sofaware' command on the SmartCenter server console. On doing this I recieve the error '15000: Can't contact database'.
I assume the error means that the SMS service can't read the rulebase and therefore cannot continue (if I issue an SMSSTART command and then an SMSSTOP command I get the message 'Process SMS process has been already terminated')

Does anybody have any idea how to resolve this error? I have searched the SecureKnowledge site for error 15000 but there doesn't seem to be any information.

[dbedit]

What platform are ya runnin Smartcenter and what libsw files version do you have?

[Mendax]

We're running SmartCenter on SPLAT NGX (R60) Build 251 with HFA03 applied. libsw is on v6.0.74, updated at the same time we updated the firmware on our EDGE boxes to v6.0.74. I have double-checked this with the /opt/CPEdgecmp/libsw/version.txt file.
We followed article sk31448 to update the libsw files.

[dbedit]

SMS Service is not running at all???

[Mendax]

Not that I can tell - A 'ps -e' command doesn't list SMS at all... even immediately after an 'smsstart' (which returns cpwd_admin: Process SMS started successfully (pid=10172)). Even 'ps -p 10172' returns nothing.

[dbedit]

What is the issue by the way?? You wanna debug cause.....something is not working? Trying to setup Edges with Smartcenter?
Let me know

[Mendax]

The issue is that I had managed to set the Edge boxes to connect to the SmartCenter and download policies from it, all well so far. I noticed recently that the policies are not changing on the Edge devices when I make alterations in the Dashboard (even after propagation time). I started finding that when I attempted to install a policy onto the Edge I got an error with the following sequence:

Info: VPN-1 Embedded Connector 5.0.23 starting
Error: <device name>: Can't contact database, 15000
Info: VPN-1 Embedded Connector is done. rc = 1
Compilation failed.
Operation ended with errors

I disabled all the rules on the FW cluster (it's in pre-rollout at the moment) and just enabled the NAT from outside to the SmartCenter and the two rules that allow SWTP_SMS in from the Edge devices to the SmartCenter and SWTP_Gateway out from the SmartCenter to the Edge devices. No change....

I attempted to reconnect the devices to the SmartCenter and just got "The SmartCenter server did not respond" (or something equivalent to that anyway). I did some packet captures on the enforcement modules and on the Edge device and noticed that the SmartCenter server was responding to connections to UDP/9282 with ICMP Port Unreachable. I attempted SMSSTART on the SmartCenter machine but noticed that there was no change, and when I tried to SMSSTOP I was told that the process had already been stopped! So I tried looking into how to get more debug info into the logs.... after finding that I could start SMS manually with output to the console I tried it and got the "15000: Can't contact database" error....

[dbedit]

Mendax,

Can you state output of fw ver -k of your Smartcenter? It should be 'This is Check Point SmartCenter Server NGX (R60) HFA_03, Hotfix 603 - Build 001' when HFA03 is applied.Was your smartcenter upgraded?? Maybe libsw is corrupted, did you made backup of old libswfiles? Did your Edges work with old libsw??

[Mendax]

The response I get for 'fw ver -k' is:

Local host is not a FireWall-1 module
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R60) HFA_03, Hotfix 603 - Build 015

I have just updated the libsw to v6.0.76 and updated the EDGE firmware to the same, just in case the libsw was corrupt... Still no joy. I am fairly sure I have used the edge devices with v6.0.74 although I couldn't be 100%. I know that they have worked previously and working back I deduce that the last time a policy did work on the edge devices was after the date I updated libsw to v.74.

[dbedit]

Well at least you can say where it went wrong. Did you updated your libsw files exactly as Cp has stated in the document. First Smartcenter and afterwards the VPN edges?? Are you running standalone setup??Management on the box? As far as I can see from the fw ver output you are, can you confirm?

[chillyjim]

This is the R62 command line to start SMS "sms -confdir /opt/CPsuite-R62/fw1/conf/sofaware" adjust as needed. Run this from a console sesion; push policy and then all should be well.

Sometimes SMS doesn't start correctly the first time and then will only run from the console and not an ssh/telent/etc session

[Mendax]

dbedit: Yes, I did follow the CP recommendations, although this time the VPN edge devices weren’t connected to the SmartCenter (due to this problem). We are running a standalone management server yes, 2 clustered enforcement modules plus 3 edge boxes and 1 management server (behind the enforcement cluster).

chillyjim: I had tried the manual version of the smsstart script (via SSH) and got the same 15000 error, unfortunately I am unable to test the direct-console method at present as I have no physical access to the machine. I have had sms running previously as I have managed to subscribe/connect to the SmartCenter Server from all 3 VPN edge boxes and have also previously succeeded to push a policy to the edges collectively? I will attempt to gain physical access to the SmartCenter machine at some point and let you know how the command runs from the console.

[abusharif]

review your $FWDIR/conf/sofaware/SWManagementServer.ini file. DB info and DB password are in there.

Did this work before? Just stoped working? Did this happen due upgrade? I've had bad experience like this after upgrade of smartcenter from winblowz to secureplatform. during upgrade_export/import SWManagementServer.ini was full of ^M chars in the file. Smartcenter on secureplatform puked on that. Fresh correctly formatted file solved it. Easily detected tho by doing 'vi SWManagementServer.ini'

[Mendax]

I'm connected (SSH) to the SmartCenter server, looking at the SWManagementServer.ini file. No ^M characters in there thankfully but in the [DB] section there are entries User=none Password=none or is it in the [Server] section that I want the Password= from?

We haven't upgraded cross-platform, it was freshly installed (for us) from scratch onto the machine it's on now. I upgraded to HFA02 and HFA03 but that's all. Couldn't tell you exactly when the comms between the edge and SC stopped but I know I did have it working... Sorry, not very helpful there I know.

[abusharif]

Those 2 "should" be none.

Important file that should be intact as per previous post is also the schema file $FWDIR/conf/sofaware/cpmi-schema.properties. Anyway besided the obvious that files should be there and "look ok" I dont have any further suggestions at the moment :(

[dbedit]

I'm very much doubting your Smartcenter. You stated smartcenter version
Local host is not a FireWall-1 module
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R60) HFA_03, Hotfix 603 - Build 015

Well mine states: 'This is Check Point SmartCenter Server NGX (R60) HFA_03, Hotfix 603 - Build 001'
This is the output of a SPLAT Smartcenter. Was the HFA correctly installed on your Smartcenter?? As I can recall NGX without HFA applied will give the output with build 015. Are there any _HFA files in $FWDIR/lib??

[Mendax]

Apoligies for the delay in replying. Unfortunately due to a corporate take-over we are no longer in direct control of 'our' firewall modules. I had come to the conclusion that the SmartCenter server was a bit dodgy but wasn't sure how I could correct it, I did apply the HFA03 a second time but it didn't make any difference. The management of the firewalls has been transferred to a different SmartCenter server to which the Edge devices connected without a hitch - I must therefore conclude that it was definitely our SPLAT SmartCenter server that was the source of the problem. On that note I thank you dbedit, abusharif and chillyjim for your suggestions and help.