PDA

View Full Version : Policy Install Failed & Will Not Boot



rmeredit
2009-08-13, 11:43
I'm running a UTM 576 w/ R70. I was in SmartDashboard & attempted to install a new policy. The installation failed, timed out. I attempted a second time, failed also. I then connected to the web interface & rebooted the device. On boot, the LCD keeps repeating "loading loading loading...". It never comes up. I consoled in & it looks like the boot sequence is fine until "Starting cpboot:" - it hangs at this point. I am able to enter maintenance mode w/o issue.

Any ideas on this? I have a config on this box that I do not want to lose. I just created the config yesterday & don't a copy outside of the device.

-R

rmeredit
2009-08-18, 09:45
FYI - In case anyone is interested in this or has the same problem...

I am able to recreate this problem. Basically, I have a basic policy setup and am able to install the policy w/o issue. But, when I select the "interface leads to DMZ" checkbox on the DMZ interface of the firewall object - the policy will no longer install. It errors/times out. After this, the UTM device will not boot b/c cpboot hangs (see above).

northlandboy
2009-08-18, 14:35
Interesting - I had a similar issue a couple of weeks back, after making an IPS update, both cluster nodes wouldn't boot.

The only way I could get them back was to restore the gateway from backup.

There is probably a way you could go into single user mode, and change it to load the initial policy, then push put a fixed up policy.

rmeredit
2009-09-02, 11:10
Just wanted to reply to let everyone know more info about the problem...

In my case, I had a VERY simple configuration created in SmartDashboard - it contained a Connectra. I had the UTM appliance on a lab network w/ no connectra or name resolution. When the policy was installing, it was getting stuck in a name lookup loop looking for the IP address of the Connectra. This was happening EVEN WHEN I was NOT trying to push the policy to the Connectra.

So, in the end, I ended up putting a host file entry for the Connectra in /etc/hosts. I pointed it to a bogus IP - thinking it didn't really need it anyway. This worked & fixed the problem. It appears CP has some sort of a problem that comes up w/ the interfaces on the firewall are changed in anyway. It pops up at the next policy install.