Ошибка Check Point 1490 Appliance

[Georgii]

Здравствуйте!

Сегодня появилась проблема, перестала ходить почта, отвалился VPN ошибки через раз (The site used an Unverified CA certificate) либо ( SSL error - Failed to connect)
Так же сразу перестала работать внутренняя почта Exchange.
При переходе по вкладкам
"Security Logs" пишет ошибку "I can not log in either, I write an error.

Так же в "System logs" Появилась ошибка "Error [System error] CODE_SYS_ERROR (8712.2722.0) - /pfrm2.0/share/lua/5.1/json.lua 0: Unexpected character at Line 2 character 2: F (70) when reading object ({or [or 'or "or number or boolean or null expected) Context: Failed to establish session wit ^ (Log reference: 1638791071)"

Лицензия закончилась в ноябре до сегодняшнего дня всё работало.

Помогите пожалуйста. Что делать , куда копать?

 

[NanoSuit]

The site used an Unverified CA certificate

Сертификат закончился ?

 

[Apossum]

Пробовали перезагружать девайс ? Версию OS бы

 

[Georgii]

Сертификат закончился ?

Есть во вкладке installed Certificates два Default Web Portal Certificate до Sun Jan 14 16:40:52 2029 и Default VPN and Cluster certificate до Fri Dec 5 14:10:17 2025

Internal CA Certificate



The internal CA certificate is the certification which authenticates the internal CA to sign on the internal certificates
Certificate:
O=00:2A:7F:73:2A:46..mqe49y
Not valid before:
Sunday, December 5th, 2021 02:10:05 PM
Not valid after:
Friday, January 1st, 2038 06:14:07 AM
Fingerprint:
AYE PAY ALUM HALL GLUM CRIB KERR ORB FONT AURA MANY TROY
Internal VPN Certificate



The internal VPN certificate is the certificate used for this appliance to authenticate itself on VPN based certificate configurations
Certificate:
CN=00:2A7F:73:2A:46 VPN Certificate,O=00:2A:7F:73:2A:46..mqe49y
Not valid before:
Sunday, December 5th, 2021 02:10:17 PM
Not valid after:
Friday, December 5th, 2025 02:10:17 PM
Fingerprint:
WOOL LAIR SIGN IRA LOAM SOW LAM NEWT USER WICK OUT KERN

 

[Georgii]

Пробовали перезагружать девайс ? Версию OS бы

Перезагружали два раза
The current firmware version is R77.20.87 (990173083)

 

[Apossum]

А он локально управляемый или есть еще mgmgt ?

 

[Georgii]

А он локально управляемый или есть еще mgmgt ?

Локально

 

[NanoSuit]

Попробуйте поставить обновления на него. Вы же в админку попасть можете ?

 

[Georgii]

Попробуйте поставить обновления на него. Вы же в админку попасть можете ?

Да попасть могу, но у меня вроде как стоят последние обновления.
Такой вопрос, если лицензии нет VPN же должен работать? через Check Point VPN clients

 

[NanoSuit]

Там у них очень сложная схема лицензирования. Контракты, лицензии, подписки..
Если я правильно помню нужен ssl сертификат для шифрования и лицензия на использование mobile access. Или у вас site2site vpn ?

 

[Georgii]

Там у них очень сложная схема лицензирования. Контракты, лицензии, подписки..
Если я правильно помню нужен ssl сертификат для шифрования и лицензия на использование mobile access. Или у вас site2site vpn ?

Ну в Appliance есть раздел VPN Remote Access Control а там уже выбираешь

 

[Georgii]

А вот лицензии

 

[NanoSuit]

Хм. У меня несколько по другому все выглядит. А чекпойнт vpn clients это клиент vpn ? В смысле это не endpoint security vpn ?
Что будет если SSL VPN включить ?

 

[Georgii]

Хм. У меня несколько по другому все выглядит. А чекпойнт vpn clients это клиент vpn ? В смысле это не endpoint security vpn ?
Что будет если SSL VPN включить ?
Посмотреть вложение 11285

чекпойнт vpn clients это настройка для endpoint security vpn
Я подключаюсь через endpoint security vpn и у меня пишет ошибка

 

[Georgii]

Может кто в курсе что может означать данная ошибка?

[System error] CODE_SYS_ERROR (8712.2722.0) - /pfrm2.0/share/lua/5.1/json.lua 0: Unexpected character at Line 2 character 2: F (70) when reading object ({or [or 'or "or number or boolean or null expected) Context: Failed to establish session wit ^ (Log reference: 1638791071)"

 

[UEF]

Удалите сайт создайте заново в клиенте

 

[Surf_rider]

Удалите сайт создайте заново в клиенте

не, это не тот случай, попробовать конечно стоит. Но думаю не поможет

 

[Apossum]

Возможно что то из этого стоит проверить

Checkpoint Health Checks​

----------------------------------------------
Checkpoint Special Config Files
----------------------------------------------
1. fwkern.conf - $FWDIR/boot/modules/fwkern.conf Magic Mac
2. local.arp - $FWDIR/conf/local.arp GAiA manual ARP
3. sdconf.rec - /var/ace RAS authentication
4. rc.local - /etc/rc.d/rc.local
5. netconf.C (/etc/sysconfig) Network interfaces/Routes
6. external.if (/etc/sysconfig)
7. ifcfg-eth1 (/etc/sysconfig/network-scripts/)
----------------------------------------------
checkpoint scripts:
----------------------------------------------
1. checkup.sh
2. cpsizeme
3. nohup mpstat -P ALL 1 86400 > mpstat.out &
----------------------------------------------
Checkpoint Health Checks -Commands
----------------------------------------------
uptime
ver
fw ver
cpinfo -y all
cplic print
expert
df -h
reboot
shutdown
fwunload local

----------------------------------------------
Firewall Performance
----------------------------------------------
top
ps auxwww
fw tab -t connections -s
fw ctl pstat
fwaccel stats
tcpdump -i eth0 src 100.25.240.57 and dst 216.230.64.82


----------------------------------------------
Verfication:
----------------------------------------------
cat /etc/sysconfig/ntp
vmstat 1 10
cat /proc/meminfo
cpstat os -f cpu
cpstat os -f memory

Interface Configurations
------------------------
netstat -i
ifconig -a
netstat -rn
ethtool –i eth0
ethtool -S eth1-01
ethtool -S eth1-02


cpview
fw tab -t userc_key -s
fw tab -t userc_users -s
fw tab -t om_assigned_ips -s (verify # of Seed license)

Cluster XL (High Avaiablility)
------------------------------
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpstat ha -f all
cphaprob syncstat
cphaprob list

cpconfig

 

[Apossum]

--------------------------------------------------------------------------------
Performance -cpconfig utility enable/disable Checkpoint SecureXL
--------------------------------------------------------------------------------
fwaccel stats (Usage: fwaccel on | off | ver | stat | conns | dbg <...> | help
fwaccel conns
fwaccel conns -s
fw ctl multik stat
fw ctl affinity -l -a -v
gaia> fwaccel conns -s (checks SecureXL Connections)
gaia> fw ctl get int fwx_max_conns (checks maximum connectins 0 means it set to auto/unlimited

[Expert@myfwe-int02:0]# fw ctl multik stat (connection to Core Distribution)
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 11 | 178 | 303
1 | Yes | 10 | 203 | 380
2 | Yes | 9 | 168 | 262
3 | Yes | 8 | 179 | 188
4 | Yes | 7 | 149 | 278
5 | Yes | 6 | 113 | 194
6 | Yes | 5 | 128 | 221
7 | Yes | 4 | 282 | 387
8 | Yes | 3 | 186 | 292
9 | Yes | 2 | 296 | 439
[Expert@myfwe-int02:0]#


[Expert@myfwe-int02:0]# fw ctl affinity -l -a -v (check CPU core to NIC Mapping -can be change in $FWDIR/conf/fwaffinity/conf)
Interface eth1-05 (irq 218): CPU 1
Interface Sync (irq 124): CPU 1
Interface eth1-01 (irq 107): CPU 1
Interface eth1-02 (irq 123): CPU 0
Interface eth3-01 (irq 171): CPU 0
Kernel fw_0: CPU 11
Kernel fw_1: CPU 10
Kernel fw_2: CPU 9
Kernel fw_3: CPU 8
Kernel fw_4: CPU 7
Kernel fw_5: CPU 6
Kernel fw_6: CPU 5
Kernel fw_7: CPU 4
Kernel fw_8: CPU 3
Kernel fw_9: CPU 2
Daemon in.geod: CPU all
Daemon vpnd: CPU all
Daemon in.acapd: CPU all
Daemon in.asessiond: CPU all
Daemon in.msd: CPU all
Daemon rad: CPU all
Daemon rtmd: CPU all
Daemon fwd: CPU all
Daemon mpdaemon: CPU all
Daemon usrchkd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@hinfwe-int02:0]#

[Expert@myfwe-int02:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #35
Drop Templates : disabled
NAT Templates : disabled by user

Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, ViolationStats,
Nac, AsychronicNotif, ERDOS, McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
[Expert@hinfwe-int02:0]#



[Expert@myfwe-int02:0]# fwaccel conns |grep 216.231.83.228 | more
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- --------
216.231.83.228 53 74.94.152.161 1580 17 F..A...S... 7/8 8/7 7 0
66.189.0.104 21318 216.231.83.228 53 17 ...A...S... 7/8 8/7 7 0
216.231.83.228 53 50.204.98.98 39412 17 F..A...S... 7/8 8/7 9 0
216.231.83.228 53 68.87.71.237 22618 17 F..A...S... 7/8 8/7 2 0
71.243.0.148 21446 216.231.83.228 53 17 ...A...S... 7/8 8/7 5 0
74.125.19.215 36506 216.231.83.228 53 17 F..A...S... 7/8 8/7 4 0
216.231.83.228 53 216.19.226.66 18445 17 ...A...S... 7/8 8/7 8 0
216.231.83.228 53 65.55.238.47 62154 17 F..A...S... 7/8 8/7 5 0
216.231.65.79 467 216.231.83.228 0 1 F.......... 10/8 8/10 4 0

Usage: fwaccel on | off | ver | stat | cfg <...> | conns | dbg <...> | help
Options:
on-turns acceleration on
off-turns acceleration off
ver-show acceleration/FW version
stat-show acceleration status
cfg-configure acceleration parameters
stats-print the acceleration statistics
conns-print the accelerator's connection table
templates-print the accelerator's templates table
dbg-set debug flags
help-this help messages
diag-policy diagnostics


----------------------------------------------
Troubleshooting
----------------------------------------------
fw monitor | grep 10.210.7.250
fw ctl zdebug + drop > text.drops
fw ctl zdebug + drop | grep 204.105.57.69
tcpdump -ni eth8 src 172.30.25.132
tcpdump -i eth1 port 1089 and dst 216.118.184.254
netstat -rn |grep 204.105

RE: Traffic failing between internet Clusters
Run a packet capture and a kernel debug on the firewall so I can get a packet-level look at what is happening to the traffic.
From expert mode on the Active Firewall:
1. # fwaccel off (Turn off SecureXL, if enabled)
2. # df -h (Check your disk space to make sure you have sufficient space to run a capture and debug_
3. # fw monitor -o /var/log/fwmon.cap (In one session: Run the capture.)
4. # fw ctl zdebug drop > /var/log/drop.txt (In another session: Run the kernel debug for drops.)
5. # tcpdump -nnei any -w /var/log/tcp.cap (In a third session: Run a tcpdump capture.)
6. Re-create the problem.
7. Control-C (End the fw monitor, tcpdump and the kernel debug with the following
8. # fwaccel on (Turn on SecureXL, if you disabled it)


----------------------------------------------
log files
----------------------------------------------
$FWDIR/log/vpnd.elg
/var/log/messages
dmesg
/var/log/routed.log


----------------------------------------------
How to Set Specific
----------------------------------------------
clusterXL_admin down/up
ethtool -s eth1 autoneg on


--------------------------------------
/etc/resolv.conf # What's the name resolution config -- sometimes performance is adversely influenced by bad DNS settings
/etc/ntpd.conf # Time config
/etc/ntp.conf
/etc/modprobe.conf # Any NIC or kernel tweaks?
/etc/sysctl.conf # Any kernel tweaks?
/etc/ssh/sshd_config # Any hacks to sshd?
/etc/issue # console banner file
/etc/issue.net # network banner file
/etc/motd # message of the day file
/etc/grub.conf # Grub config -- important to see vmalloc
/etc/gated.ami # gated config file
/etc/gated_xl.ami # gated config file
/etc/rc.d/rc.local # local RC files -- any changes here (such as kernel tweaks)?
$FWDIR/boot/boot.conf # Firewall boot params
$FWDIR/boot/modules/fwkern.conf # Any firewall kernel tweaks?
$PPKDIR/boot/modules/simkern.conf # Any SIM tweaks?
$FWDIR/conf/discntd.if # ClusterXL Disconnected Interfaces
$FWDIR/conf/local.arp # SPLAT / GAiA manual ARP
$FWDIR/conf/vsaffinity_exception.conf # Relevant to R75.40VS and later Virtual systems only
$MDSDIR/conf/external.if # Relevant to P1 / MDSM only


----------------------------------------------------------------------------------------------
ARPING
-----------------------------------------------------------------------------------------------
[laninet-fwa]# fw ctl arp
securemail.bcbsma.com (216.118.190.126) at 00-1c-7f-3f-6c-fd
lannat-foundation.bcbsma.com (216.118.190.60) at 00-1c-7f-3f-6c-fd
lannat-twd.bcbsma.com (216.118.190.50) at 00-1c-7f-3f-6c-fd
(216.118.190.17) at 00-1c-7f-3f-6c-fd
(216.118.190.27) at 00-1c-7f-3f-6c-fd
(216.118.190.123) at 00-1c-7f-3f-6c-fd
(216.118.190.100) at 00-1c-7f-3f-6c-fd


[Expert@laninet-fwa]# arping -I eth3-04 216.118.190.88 (check for Arping on specific interface for an IP)
ARPING 216.118.190.88 from 216.118.190.7 eth3-04
Sent 7 probes (7 broadcast(s))
Received 0 response(s)
[Expert@laninet-fwa]# arping -I eth3-04 216.118.190.87
ARPING 216.118.190.87 from 216.118.190.7 eth3-04
Sent 9 probes (9 broadcast(s))
Received 0 response(s)

[Expert@laninet-fwa]# arping -I eth3-04 216.118.190.89
ARPING 216.118.190.89 from 216.118.190.7 eth3-04
Sent 14 probes (14 broadcast(s))
Received 0 response(s)
[Expert@laninet-fwa]#


LANSWT-INT02#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 216.118.190.1 0 44d3.caaa.fd01 ARPA Vlan190
Internet 216.118.190.2 0 44d3.caaa.e801 ARPA Vlan190
Internet 216.118.190.7 0 001c.7f3f.6cfd ARPA Vlan190
Internet 216.118.190.8 4 001c.7f3f.753b ARPA Vlan190

-------------------------------------------------------------------------------------------
ClusterXL Troubleshooting
-------------------------------------------------------------------------------------------
Cluster XL (High Avaiablility)
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpwd_admin list

[Expert@hindev-fwa]# cphaprob stat

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 (local) 192.168.42.1 100% Active
2 192.168.42.2 0% Standby

[Expert@hindev-fwa]#


[Expert@hindev-fwa]# cphaprob -a if

Required interfaces: 6
Required secured interfaces: 1

eth0 UP non sync(non secured), multicast
eth1 UP non sync(non secured), multicast
eth2 UP non sync(non secured), multicast
eth3 UP non sync(non secured), multicast
eth4 UP non sync(non secured), multicast
eth5 UP sync(secured), multicast

Virtual cluster interfaces: 5

eth0 172.30.25.54
eth1 10.25.240.4
eth2 10.25.242.4
eth3 10.25.244.4
eth4 10.25.246.4

[Expert@hindev-fwa]#


[Expert@hindev-fwa]# cphaprob list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 388872 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 388866 sec

Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec

[Expert@hindev-fwa]#


[Expert@hindev-fwa]# cpwd_admin list
cpwd_admin:
APP PID STAT #START START_TIME COMMAND MON
CPD 3449 E 1 [20:24:21] 7/6/2013 cpd Y
CI_CLEANUP 3534 E 1 [20:24:35] 7/6/2013 avi_del_tmp_files N
CIHS 3546 E 1 [20:24:35] 7/6/2013 ci_http_server -j -f /opt/CPsuite-R71/fw1/conf/cihs.conf N
FWD 3548 E 1 [20:24:36] 7/6/2013 fwd N
RTMD 4051 E 1 [20:24:59] 7/6/2013 rtmd N
[Expert@hindev-fwa]#

cphaprob list. There reported issues with fib with problem state. Next ran cpwd_admin list and noticed that FIBMGR and DROUTER restarted 2x's.


[Expert@rockvpn-fwb]# clusterXL_admin down
Setting member to administratively down state ...
Member current state is Down
[Expert@rockvpn-fwb]# cphaprob stat

Cluster Mode: New High Availability (Active Up)


Number Unique Address Assigned Load State

1 192.168.25.241 100% Active
2 (local) 192.168.25.242 0% Down

[Expert@rockvpn-fwb]# clusterXL_admin up
Setting member to normal operation ...
Member current state is Standby
[Expert@rockvpn-fwb]#

 

[BlackJack]

Откатитесь из снэпшота или перезалейте gaia os. Чем такого лечить проще нового сделать