Hfa 04 Vpn_1_r60

[raulico]

Hi,
due to last problem on hfa18 on secure platform, i prefer to wait until someone could do a test on a spare device.
Is there any problem upgrading to this HFA04 on nokia ip?
Is there anybody who yet did it?

[Raedm]

Hi,

1- I instilled NGX R60 Hotfix R60_03 and I received the error message "Cannot find pid of vpnd".
2- I uninstalled Hotfix R60_03 and installed Hotfix R60_04 to correct the problem but still the issue exist.

I am still investigating.

Do you want to proceed with installation of Check Point NGX R60 Hotfix R60_03 for Check Point NGX R60 on this computer?

Screen shot from the installation process:

If you choose to proceed, installation will perform CPSTOP.

(y-yes, else no):y

SmartView Monitor: Management stopped

FloodGate-1 stopped

Cannot find pid of vpnd

VPN-1/FW-1 stopped

SVN Foundation: cpd stopped

SVN Foundation: cpWatchDog stopped

SVN Foundation stopped

Launching post-hotfix utility

[northlandboy]

You probably don't need to worry about the message about not finding the vpnd pid.

Are you running VPNs on the module? Is it ticked on the node configuration in Smart Dashboard? If not, then vpnd won't be running, since it's not needed.

When it does the HFA install, it tries to kill off all the FW processes first. It's not clever enough to work out that you were never running vpnd, so tries to kill it off, even though it doesn't exist.

Check $FWDIR/log/vpnd.elg if you like. Look for messages like "Object doesn't support encryption".

Seems to me your HFA installation completed OK. You can also look at the HFA installation logfile.

I've done the install without problem on flash-based Nokias, but haven't had a chance to roll it into production yet.

[Raedm]

Yes I am running VPN on my firewall and the VPN option is checked in smart dashboard. However, I haven't had a chance to push the policy to the firewall.

[northlandboy]

Just to clarify something, so you've configured it within Smart Dashboard to do VPNs, but you haven't actually pushed that out to it yet, so it's currently not running any policy?

Is this a new setup, and you're patching at install time?

In that case, vpnd will start up when you push policy. For now though, you can ignore that message

[Raedm]

Yes VPN is enabled on the FW object in smart dashboard.

Yes this a new installation of IPSO 4.0build40 and NGX R60 with HFA 03.

I pushed the policy to the FW, and now I receive the following error:

"can not single a VPND process. There is no such process.

I tried to run the vpnd manually an the message was vpnd started. However the next few lines were error messages to other files.

[Raedm]

I had to reboot the FW!!! The VPN error message is gone now and the VPND process is running fine.

Thank you for you help.

[northlandboy]

Good to hear it's working now.

[raulico]

i installed the hfa 04 on ipso 4.0,did a reboot and checked packages activation ,and after a week this morning the smart console didn't reply me, the port on firewall was open and in listen mode, firewall was working perfect, ssh_ing the firewall show a correct fw stat and errors, i did a cprestart and everything go ok.
it's a strange behaviour and it never happened to my firewalls.
what can i do to investigate?
i checked the log of nokia ipso and i see a lot of:
[LOG_NOTICE] xpand[289]: root localhost t +volatile:clish:admin:13129 t

[Steve_Martin]

Hi, we've had a similar problem with SPLAT - NGX R60 - HFA 04. The communication of firewall with Smart center is lost approx once in 15 days.. once rebooted, things are fine.

This started to occur once we applied HFA04.

Anybody has any clue on this.. There seems to be no problem with time synchronization between the firewall and smart center.