Scribd Logo
Upload

Welcome to Scribd!

  • sk10034 - Failed To Install Policy On Module

    Uploaded by

    Alexander Sarpa
    5 views3 pages

    Original Title

    sk10034 - Failed to install policy on module

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views3 pages

    sk10034 - Failed To Install Policy On Module

    Uploaded by

    Alexander Sarpa

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Support, Support Requests, Training, Documentation, and Knowledge b... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/h...

    My Account
    Bem-vindo(a) Alexander Sarpa | Sait

    Home Accounts Products Support Partner Info Search Tool CO-OP Quoting Tools My Profile Event Log

    Support Search My Service Requests Create Service Request Support Quote Tool My Support Programs Additional Services

    Solution ID: sk10034 3/4/2010

    Error: "Failed to install policy on module - No Memory" when trying to push a


    Security Policy to a newly installed Enforcement Module

    Product: VPN-1 Pro/Express


    Version: NG-AI R54, NGX R61, NGX R60, NG, NG-AI R55
    Last Modified: 23-dez-2007

    Symptoms

    Error: "Failed to install policy on module - No Memory" when


    trying to push a Security Policy to a newly installed Security
    Gateway.
    SIC is working fine.

    Cause

    Duplicate IP addresses were found in two Security Gateways


    managed by this SmartCenter server but these Security Gateways
    are not a part of a cluster object.
    (An ioctl failure occurs because the kernel is returning the ENOMEM
    return >code on the policy load ioctl)

    Solution

    The error message "No Memory" usually has nothing to do with


    memory (RAM). There is no need to check for available memory. The
    actual meaning of this error message is that a duplicate IP addresses
    was found in two Security Gateways managed by this SmartCenter
    server that could well lead to the "No Memory" message.

    This error message is usually seen:

    while in the process of installing a High Availability Cluster.

    while the other Security Gateway object exists and has the
    same IP addresses to its interfaces that participate in the HA
    excluding the Unique IP for the Sync Network.

    Since the installation engine sees two Security Gateways with the
    same IP addresses, but there is no Cluster Object that contains them
    inside, you will see a "No Memory" message.

    It is recommended to install a cluster according to the Clustering PDF


    that is available in the NG CD or the Check Point Download Site for
    Software Subscribers and via the "Configuration Documents" solution

    1 de 3 4/3/2010 14:33
    Support, Support Requests, Training, Documentation, and Knowledge b... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/h...

    in SecureKnowledge

    To quickly resolve this:

    1. Insert the two Security Gateways into a cluster object.

    2. Configure it as should.

    3. Install the Security Policy.

    Several relevant issues as to creating and configuring the cluster


    object exist:

    1. Make sure you configure all VPN related parameters in the


    Cluster Object before installing the Policy even if you do not
    use VPN.

    2. In the Policy Editor (SmartDashboard) in the Security Policy, in


    the "Install On" column you might need to edit the "Policy
    Targets" value and insert Only the cluster Object, or else you
    might see an installation error message while installing the
    policy, with a fail to install on rule xx, with reason "check
    install on column".

    3. Ensure each cluster member module the SmartCenter server's


    object name can be resolved to the IP address (in order that
    this module can send its logs and that the Security Policy can
    be fetched from this module). This can be done by editing the
    hosts file on the Security Gateway. This is especially important
    if the SmartCenter server has more than one IP address.

    4. It might be desirable to run the fw unloadlocal command on


    the Security Gateways before installing the Security Policy in
    order to make sure that there is no policy that may block you
    from performing your task.

    To further determine the source of the problem, proceed as follows:

    1. Check for duplicates of the IP address of the firewall in other


    FireWall-1 objects and in all of the HOSTS files in the OS. If
    there are duplicates, remove them.

    2. On the SmartCenter server run this command:

    fw debug fwm on TDERROR_ALL_ALL=3

    and install the policy, in the install window you will see
    detailed installation messages, read the last part to see the
    reason for failing to install and at what stage it happened. To
    turn off debug use:

    fw debug fwm off TDERROR_ALL_ALL=0

    3. Run the following debug command on the Security Gateway:

    fw debug fwd on TDERROR_ALL_ALL=3

    To turn off debugging run the command:


    fw debug fwd off TDERROR_ALL_ALL=0

    type: fw fetch <IP_address_of_management_server> and


    read the messages to get further ideas.

    2 de 3 4/3/2010 14:33
    Support, Support Requests, Training, Documentation, and Knowledge b... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/h...

    You may also try to load the local policy by typing:

    fw fetchlocal -d $FWDIR/__tmp/local/FW1

    4. Review the messages returned.

    ©2010 Check Point Software Technologies Ltd. All rights reserved.

    3 de 3 4/3/2010 14:33

    You might also like