CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: ipso 6.2 R70 and 77.10 on Ip560

  1. #1
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default ipso 6.2 R70 and 77.10 on Ip560

    hello,
    don't know why i tried to install Gaia on a working Ip 560 with ipso 6.2 mr4a and R77.10 licensed properly.
    After a couple of problems with a script to return into Ipso (i have no software Subscription so no access to the rollback .sh) i rebuilded the CF with a ipso 6.2.
    I tried to install R77.10 with license i downloaded fro user.center with the correct management ip and tried to access by smart console to the ip560 (installed secure gateway and mgmt standalone on same ip560) but now i receive the error connection cannot be initiated.make sure the server ip is up and running and that your ip is configured as gui client.
    Using cpconfig i see everything ok, admin is defined with password, gui client ip are defined (tried even with any), and management is up and running so if i try to start it with cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
    i see in reply:
    Process FWM is alive, process won't be started again
    I tested even with some other versions such as 70 or 77 or 76, but error is the same so i suppose i'm doing something wrong.

    Having no contract (expired) with Checkpoint i can only see sk12120, and all the suggestions are correct.
    Please could you give some ideas on what can i do to solve this problem or investigate it?
    thanks for support
    Raoul


    update:
    fwm.elg
    a lot of:
    CreateInternalCAObj_cb: error. rc=-1, err=-96, Connection error
    ERROR: Couldn't create the Internal CA object. Check that the Internal CA process is running.
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    FireWall-1 Security Management Server going to die on sig 6
    Last edited by raulico1; 2018-03-14 at 12:27.

  2. #2
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    update
    using cpconfig:
    nitializing the Internal CA...(may take several minutes)
    Could not create Certificate Authority. General problem in Certificate Authority
    Failed to initiate Certificate Authority

    NOTE: The creation of the certificate failed


    and on fwm.elg i see process signaling problems

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Quote Originally Posted by raulico1 View Post
    hello,
    don't know why i tried to install Gaia on a working Ip 560 with ipso 6.2 mr4a and R77.10 licensed properly.
    After a couple of problems with a script to return into Ipso (i have no software Subscription so no access to the rollback .sh) i rebuilded the CF with a ipso 6.2.
    I tried to install R77.10 with license i downloaded fro user.center with the correct management ip and tried to access by smart console to the ip560 (installed secure gateway and mgmt standalone on same ip560) but now i receive the error connection cannot be initiated.make sure the server ip is up and running and that your ip is configured as gui client.
    Using cpconfig i see everything ok, admin is defined with password, gui client ip are defined (tried even with any), and management is up and running so if i try to start it with cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
    i see in reply:
    Process FWM is alive, process won't be started again
    I tested even with some other versions such as 70 or 77 or 76, but error is the same so i suppose i'm doing something wrong.

    Having no contract (expired) with Checkpoint i can only see sk12120, and all the suggestions are correct.
    Please could you give some ideas on what can i do to solve this problem or investigate it?
    thanks for support
    Raoul
    Its not clear what part you're saying is failing. Are you trying to run a firewall + mgmt on a flash based firewall? If so that isn't supported.

    If that isnt' what your getting at can you explain? I'm not sure if you're saying you can't login to smart dashboard or if you're saying you can but you can't setup sic to the IPSO gateway.

  4. #4
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    sorry if i'm not clear,
    I tried to reinstall on ipso 6.2 many versions of Checkpoint stand alone version (R70 or R75 or R76 or R77 or R77.10), and doing cpconfig option 8, i see this :
    The Internal CA will now be initialized
    with the following name: nokiaip
    Is it OK (y/n) [y] ? y
    Initializing the Internal CA...(may take several minutes)
    Could not create Certificate Authority. General problem in Certificate Authority
    Failed to initiate Certificate Authority
    NOTE: The creation of the certificate failed

    So i can't log with smart console on management.

    Reinstallation is due to a previous test of Gaia on IP 560, with a bad end.
    So Cause i have no access to support and i can't download the rollback script from gaia to ipso, even if i have the tgz backup of the previous working enviroment
    (Check_Point_R77_Install_IPSOBootmanager.sh) i rebuilded a compact flash with ipso boot manager, installed ipso 6.2, and tried to install a fresh copy of R77.10.
    Doing cpconfig i saw this error about CA, and so no access with smart console.
    Sorry for my English

    Are you trying to run a firewall + mgmt on a flash based firewall?
    No, ipso 6.2 disk based and Check_Point_R77.10_T131_Install_and_Upgrade.IPSO6. 2_DiskBased
    No Gaia and will never try again :-)
    Last edited by raulico1; 2018-03-14 at 12:54.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Ok first yes, no Gaia on IPSO appliance. %100 agree.

    Is this a flash based IP560? Can you send the output of

    df -k

    If this only has CF and no hard drive then you can not install management on the IP560. It will not have the disk space and speed requirements. df output should help identify if its flash based or not.

    If it is flash based then you will need a stand alone mangement server to use that would connect to the IP560 for policy updates and stuff.

    BTW your English is just fine. Just wasn't sure what you were doing. Seems clear now.

    My Spanish is terrible. I can do the normal stuff, order a beer, ask for the bathroom.. or try to get fancy and put the to together.. which somehow came out as meet me in the bathroom with 2 beers.

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    This sounds like the issue described here: https://supportcenter.checkpoint.com...ionid=sk122612

    By default, when the Internal CA is created, the expiration is set to be 20 years beyond the current date.
    Anything after 24th January 2018 (I think), when you add 20 years to it, is past the end of the Unix epoch.
    This causes the creation of the Internal CA to fail.

    Prior to the creation of the Internal CA, set the system date back to something before the above date.
    This should allow the creation of the Internal CA to succeed and should resolve the issue.

    Meanwhile, I recommend you trade in those IP560s for some newer equipment.
    Even if you could download all the stuff to run Gaia on the IP560, you'd be fairly constrained by the limited RAM and CPU.
    Last edited by PhoneBoy; 2018-03-15 at 01:21.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Oooh right. I forgot about that. Could very well be.

  8. #8
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Amazing!!!!
    I love nokia stuff, i had a couple of ip440 for internal use, with 4 years of uptime, i have at home this ip560 and a 260 just for playing, the 560 is still alive, while the 260 is under investigation after a strange behaviour and won't boot anymore...i'm looking for a mainboard led legend just to fix it..
    after the trick of time date, now it alives in 2015:-), CA was created correctly, and so i'm playing with 77.10, but i see the errors during policy installation and it won't install policy:
    HTTPS Inspection Trusted CAs
    Status Failed
    Version 2.0
    Severity Medium
    Impact Trusted CAs update failed


    I suppose i need the hotfix suggested by Dameon, but without support it should be hard...
    Well today i have a smile on face thanks to You guys, and i have to find the hotfix :-)
    Have a nice day both of you, and i follow this forum and Dameon since years (damn i'm old :-) ), i had a previous profile (raulico) associated with a mail i have no more, so i created this new one.
    Thanks again!!!!!!!!!!!!!!!!!!!!
    greetings from Sicily!!!
    Raoul

  9. #9
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Quote Originally Posted by PhoneBoy View Post
    This sounds like the issue described here: https://supportcenter.checkpoint.com...ionid=sk122612

    By default, when the Internal CA is created, the expiration is set to be 20 years beyond the current date.
    Anything after 24th January 2018 (I think), when you add 20 years to it, is past the end of the Unix epoch.
    This causes the creation of the Internal CA to fail.

    Prior to the creation of the Internal CA, set the system date back to something before the above date.
    This should allow the creation of the Internal CA to succeed and should resolve the issue.

    Meanwhile, I recommend you trade in those IP560s for some newer equipment.
    Even if you could download all the stuff to run Gaia on the IP560, you'd be fairly constrained by the limited RAM and CPU.
    Ding ding ding! A coworker ran into the exact errors mentioned earlier while trying to build an R77-family lab. Definitely a CA thing.

    I find it weird that the CA creation process outright fails if the end date would wrap around, but the renewal process does not. As of R75, you could get into a weird situation where your CA's expiration date is something like 1922, but the start date is in 2037. The CA wakes up, sees its after the expiration date, so it revokes and reissues itself and all of its issued certificates, adding the old ones to the CRL. It doesn't make sense to reissue a certificate with an earlier start date, so it issues them with the same dates. It then goes back to sleep, wakes up one second later, and does the whole process over again.
    Zimmie

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Quote Originally Posted by raulico1 View Post
    I suppose i need the hotfix suggested by Dameon, but without support it should be hard...
    To be clear, you don't really need a hotfix if you do what I suggested (backdate the system when the internal CA is created).
    Afterwords, you can change the system to a current date and all should be well.

    As for the other issue you're seeing, I'm guessing that's related to the migration to SHA256 we did on the backend.
    See: https://supportcenter.checkpoint.com...ionid=sk103839
    Not sure if these fixes require entitlement or not.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Quote Originally Posted by raulico1 View Post
    Have a nice day both of you, and i follow this forum and Dameon since years (damn i'm old :-) ), i had a previous profile (raulico) associated with a mail i have no more, so i created this new one.
    That means we're both old :)
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  12. #12
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Quote Originally Posted by PhoneBoy View Post
    To be clear, you don't really need a hotfix if you do what I suggested (backdate the system when the internal CA is created).
    Afterwords, you can change the system to a current date and all should be well.

    As for the other issue you're seeing, I'm guessing that's related to the migration to SHA256 we did on the backend.
    See: https://supportcenter.checkpoint.com...ionid=sk103839
    Not sure if these fixes require entitlement or not.

    we are not old...inside :-)
    i did your suggested trick of the date, and now i'm able to log on smart console (option 8 on cpconfig and CA creation went properly) after i changed the date to current, but i cannot install policy, and i see error during policy installation:


    Installation Targets Version Policy Type Details
    nokia R77.10 Network Security Installation failed. Reason: Load on Module failed - failed to load Security Policy.

    License is ok, so i supposed it was due to CA date...
    on Tracker i see:
    Description HTTPS Inspection Trusted CAs
    Status Failed
    Version 2.0
    Severity Medium
    Impact Trusted CAs update failed
    but i can bypass https inspection of traffic...as on fix of checkpoint
    I see no more details about error on smart console, so i'm checking your link if it could help me, but if you have some other precious suggestions, don't hesitate to tell me :-)

  13. #13
    Join Date
    2018-03-14
    Posts
    6
    Rep Power
    0

    Default Re: ipso 6.2 R70 and 77.10 on Ip560

    Update,

    EVERYTHING fixed, i added a license for ha even if the correct one was installed...the coexistance created problems...
    Thanks Guys!!!!
    have a nice week end
    Raoul

Similar Threads

  1. IP560 upgrade from IPSO GA055 to IPSO GA083 R7730
    By jlobera in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2016-08-17, 15:09
  2. IP560 +R65 ipso 4.2 link aggregation
    By kidem in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 7
    Last Post: 2010-01-19, 08:04
  3. IP560 : 100% CPU Utilization : IPSO 4.2 / R65
    By gladiatorkev in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2009-03-21, 07:57
  4. NOKIA IP560 IPSO 4.1 and NGX R60
    By paolo.piombino in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-12-24, 05:59
  5. IP560 and IPSO 4.1 initial password
    By 2ndfive8th in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2006-11-06, 05:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •