CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 15 of 15

Thread: brand new R77.30 on IBM server

  1. #1
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default brand new R77.30 on IBM server

    I recently did a fresh installed of R77.30 on an IBM server (on checkpoint HCL). The installation went without any issues. This server is intended to migrate my provider-1 from R75.47 over to R77.30

    I configured bond0 on interface eth1 & eth3 for 802.3AD active/active and from my windows 7 machine, i can ping the new and the new server can ping me. I can also ssh to the new R77.30 server from the windows 7 machine. However, I can NOT https://192.168.1.1 from my windows 7 machine to the R77.30 server.

    when I do "netstat -an | grep 443" I am not seeing port 443 listening. Furthermore, when I do "show configuration web", I see this:

    napamds> show configuration web
    set web table-refresh-rate 15
    set web session-timeout 10
    set web ssl-port 443
    set web ssl3-enabled on
    set web daemon-enable on
    napamds>

    It means that web daemon is enabled on the box but since it is not listening, I can't go ahead with the configuration change.

    I've re-installed the box 3 times without much success.

    Any ideas?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: brand new R77.30 on IBM server

    So the issue is that httpd daemon is not running, right?

    You probably checked /var/log/messages for any related errors so I was thinking reason could be some custom network configuration you use that's not offering the required prerequisites for the httpd daemon to run.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by laf_c View Post
    So the issue is that httpd daemon is not running, right?

    You probably checked /var/log/messages for any related errors so I was thinking reason could be some custom network configuration you use that's not offering the required prerequisites for the httpd daemon to run.
    This is a "fresh" install and I didn't put any custom configuration on it, other than putting IP address & gateway on the box.

    Anyway, I fixed the issue by disabling the "on-board" Broadcom NIC on the IBM server and re-install again. This time, it works. go figure. I guess you can't really trust Checkpoint HCL :-(

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by cciesec2006 View Post
    I recently did a fresh installed of R77.30 on an IBM server (on checkpoint HCL).
    I know you got the issue resolved, but what exact model of server is this? Perhaps there's something missing from the HCL or some other internal note(s) about your model in specific...??? I could search if I knew the model...

  5. #5
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by jdmoore0883 View Post
    I know you got the issue resolved, but what exact model of server is this? Perhaps there's something missing from the HCL or some other internal note(s) about your model in specific...??? I could search if I knew the model...
    Thank you bud.... the server is IBM x3650-M1 with dual on-board NIC (broadcom): http://www.checkpoint.com/support-se...650/index.html

    It has two add-on quad-ports NICs. the server is 5 years old and it is running R75.47 without any issues.

  6. #6
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by cciesec2006 View Post
    This is a "fresh" install
    Fresh installed how? Bootable DVD and the internal DVD drive? Bootable USB? PXE?

    Quote Originally Posted by cciesec2006 View Post
    I fixed the issue by disabling the "on-board" Broadcom NIC on the IBM server and re-install again.
    Once again, fresh installed how? Same method as above I assume, but just to be sure.
    And how did you "disable" the NIC? Through the BIOS I assume? Was this NIC part of the bond?

    Quote Originally Posted by cciesec2006 View Post
    This time, it works. go figure.
    I assume that you are once again using a bond? The same or different NICs from the bond that was first attempted?

    Quote Originally Posted by cciesec2006 View Post
    This server is intended to migrate my provider-1 from R75.47 over to R77.30
    I've been doing some searching, and the funny thing is that the only reported issues I am finding thus far relate to R75.4x, rather than R77. There's more to search yet, but I found this to be...funny, is an odd/strange kind of way.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by jdmoore0883 View Post
    Fresh installed how? Bootable DVD and the internal DVD drive? Bootable USB? PXE?
    Bootable DVD and internal DVD drive on the ibm server


    Quote Originally Posted by jdmoore0883 View Post
    Once again, fresh installed how? Same method as above I assume, but just to be sure.
    And how did you "disable" the NIC? Through the BIOS I assume? Was this NIC part of the bond?
    yes, fresh install same as above. I disabled on-board NIC from the BIOS. No, the broadcom NIC was not part of the bond


    Quote Originally Posted by jdmoore0883 View Post
    I assume that you are once again using a bond? The same or different NICs from the bond that was first attempted?

    yes, I use bond but with Intel add-on NIC this time around



    Quote Originally Posted by jdmoore0883 View Post
    I've been doing some searching, and the funny thing is that the only reported issues I am finding thus far relate to R75.4x, rather than R77. There's more to search yet, but I found this to be...funny, is an odd/strange kind of way.
    funny you mentioned that because on the same server, I can bond between the broadcom and Intel NIC without any issues. haven't tried this R77.30 yet but it is not practical in this scenario :-(

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: brand new R77.30 on IBM server

    This sounds a lot like the issue where if checkpoint can't resolve its hostname via /etc/hosts it will not start checkpoint services.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by jflemingeds View Post
    This sounds a lot like the issue where if checkpoint can't resolve its hostname via /etc/hosts it will not start checkpoint services.
    Thank you for checking. Yes, that was the first thing I checked and the host name is correct in the /etc/hosts file. Furthermore, when you initially install via DVD, it doesn't even ask you for the host name right?

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by cciesec2006 View Post
    This is a "fresh" install and I didn't put any custom configuration on it, other than putting IP address & gateway on the box.

    Anyway, I fixed the issue by disabling the "on-board" Broadcom NIC on the IBM server and re-install again. This time, it works. go figure. I guess you can't really trust Checkpoint HCL :-(
    The on-board Broadcom NICs have always been problematic (especially for gateways).
    I thought the HCL made note of that.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by cciesec2006 View Post
    when you initially install via DVD, it doesn't even ask you for the host name right?
    While this is indeed correct, there is a "default" hostname of sorts, typically in the form of "gw-123456" where the numbers are (seemingly) randomly generated... I am sure there is some kind of algorithm or something that determines the exact numbers, but suffice to say the pattern isn't obvious.

    So far I am still not able to find anything internal specific to this kind of issue with this device.

    I know from your posts that this device will be used shortly, but if possible, does the NIC (the disabled one) work if it is enabled and you boot to some kind of live Linux CD/DVD/USB?

  12. #12
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by PhoneBoy View Post
    The on-board Broadcom NICs have always been problematic (especially for gateways).
    I thought the HCL made note of that.
    No, the HCL does not seem to explicitly mention this (it would make life so much easier... Perhaps a little TOO easy?).

    Furthermore, the link specific to the server in questions here:
    http://www.checkpoint.com/support-se...650/index.html seems to indicate that the "Integrated dual Gigabit Ethernet" is indeed supported. Again, nothing mentioning that Broadcom NICs are problematic...

    Going to the NIC tab of the HCL, there is only 1 mention of Broadcom anywhere, and it is for IBM, "Broadcom 10Gb 4-Port Ethernet Expansion Card (CFFh) for IBM BladeCenter" which is fully supported as well.

  13. #13
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by jdmoore0883 View Post
    I know from your posts that this device will be used shortly, but if possible, does the NIC (the disabled one) work if it is enabled and you boot to some kind of live Linux CD/DVD/USB?
    the boadcom NIC (the disabled one), when enable, works fine with both R71.30 and R75.47

  14. #14
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by cciesec2006 View Post
    the boadcom NIC (the disabled one), when enable, works fine with both R71.30 and R75.47
    Oh yeah... You mentioned this already eh...? Touche.

    It is odd, I agree... It could entirely be as PhoneBoy suggests:
    Quote Originally Posted by PhoneBoy View Post
    The on-board Broadcom NICs have always been problematic (especially for gateways).
    I thought the HCL made note of that.
    Though if true, it does not appear to be documented anywhere, and maybe the HCL (or some other document) needs to be updated/created to reflect this. For myself, I cannot seem to find anything quite the same as this. And since the issue was "resolved" (or avoided) by disabling the NIC, I would suggest sticking with that. Though if you want to seek a "true" solution, you'll need to work with/through your CP Engineer... Though I am sure you know all about THAT.

  15. #15
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: brand new R77.30 on IBM server

    Quote Originally Posted by jdmoore0883 View Post
    Though if true, it does not appear to be documented anywhere, and maybe the HCL (or some other document) needs to be updated/created to reflect this. For myself, I cannot seem to find anything quite the same as this. And since the issue was "resolved" (or avoided) by disabling the NIC, I would suggest sticking with that. Though if you want to seek a "true" solution, you'll need to work with/through your CP Engineer... Though I am sure you know all about THAT.
    If you know your Check Point SE tell them, it used to be noted on the HCL not to use the broadcom NICs, but this sounds like a different issue. If you don;t know them open an SR with all the info and talk to the duty manager so it can be propagated to the HCL team. I am assuming you don't want to debug the issue and the workaround is fine.

Similar Threads

  1. smartcenter server configurations to Multi domain security managemnet server
    By peteruwa in forum Provider-1 (Multi-Domain Management)
    Replies: 10
    Last Post: 2013-09-06, 11:16
  2. R75.30 Managment Server HA (Unable to monitor secondary mgmgt server in Smart View M)
    By shaikhasif2001@gmail.com in forum Management High Availability
    Replies: 4
    Last Post: 2013-05-09, 03:21
  3. New CCSA R71 brand new book for sale(1 unit only)
    By m4nd3l4 in forum Announcements From Check Point Administrators, For Sale/Wanted, Etc.
    Replies: 1
    Last Post: 2011-04-19, 10:37
  4. Replies: 1
    Last Post: 2007-04-07, 21:02
  5. brand spanking newbie
    By Thoht in forum Introductions
    Replies: 1
    Last Post: 2007-02-03, 09:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •