Troubleshooting

Issue	Solution
Where are the service logs?	Examine this log file: `/var/log/CPcme/cme.log` You do not need to enable any additional debugging to view the full log.
The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not recognize the `autoprov_cfg` command.	The latest add-on package is not installed on your Management Server. Download and install the latest version. See sk130372.
The `service cme test` command fails with this error: `Exception: 'Your management version does not support "get-interfaces"'`	Your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is not supported. The Transit service can only run on Check Point Security Management Server on AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. versions 317 or higher. Install a supported version.
The `service cme test` command fails with this error: `Exception: Unauthorized Operation: You are not authorized to perform this operation`.	The Security Management Server IAM role is not set with read/write permissions, or trust between a spoke account and a management account is not configured properly. See the issue below "What permissions are required for the IAM role?" for an example of IAM role permissions required for the Security Management Server.
CloudGuard from the Transit GW ASG are not provisioned. They do not show in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..	In the AWS Console, check that the CloudGuard Transit Gateway has these tags: Key Tag: `x-chkp-tags+` Key Value: `management=<name>+template=<name>+ip-address=<public\|private>;` Check that the value of the tag is configured properly. If not, change or add it accordingly. Confirm that the names of the management and template are the same that you configured with the `autoprov_cfg` utility. Confirm the IP address is set to the correct value: "`public`" OR "`private`". Confirm that the management instance can reach the Transit Gateway's public or private IP address. If not, configure the applicable route.
Connection to the Transit Gateway is lost after the restrictive policy is installed for the first time, and the policy cannot be installed again on the Transit Gateway.	The Transit Gateway is configured to connect to the Security Management Server with the public IP address (the elastic IP address), but the Security Management Server in SmartConsole is configured with the private IP address. Edit the Security Management Server object in SmartConsole and change the IP address to the public IP address. Note - This change requires to issue the licenses for the new IP address. Delete the gateway instance. It cannot be recovered at this point. Deploy Transit Gateways with the CloudFormation template again.
There is no spoke-to-spoke communication for some traffic, although ICMP pings between the spokes can pass.	Confirm the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is not blocking the traffic. On the gateway, run in the Expert mode: `cat $PPKDIR/boot/modules/simkern.conf` Confirm the file exists and contains this line: sim_ipsec_dont_fragment=0 If there is still no traffic between spokes, lower the MTU (to less than 1500) on the interfaces of hosts deployed in the spoke VPCs. Check the AWS Network Access Lists (NACL) of each spoke VPC.
CloudGuard feature does not work	Install the latest Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. from sk141173.
What permissions are required for the Security Management Server IAM role?	Use the IAM role in Using the Existing On-Premises Security Management Server or the Security Management Server in AWS.
How do I add a Corporate Gateway, as an Externally Managed VPN Gateway to allow a secured VPN connection between the on-premises and the Transit Hub?	See sk120534.
How do I configure Remote Access VPN through a Corporate Gateway to a Spoke VPC?	See sk120534.
Transit Gateways are not added to the Management Server.	Check tags in the and Route Tables as described in Step 5: Deploying the Security Transit Gateway Auto Scaling Group.
I used the Transit Gateway First Time Configuration Wizard. However, the configuration is not correct.	You have these options: Initialize all configuration by running the utility again. Update only specific configuration with the `autoprov_cfg` utility. See Step 3: Deploying the Check Point Security Management Server.
The `autoprov_cfg` command for configuring the template on the fails.	Before you define a VPN community for the template, it must be defined on the AWS Controller.
Security Gateways are not added to the VPN Community.	If the VPN Community was created after you provisioned the Security Gateways, then terminate the Security Gateways in AWS. New Security Gateways are created, provisioned and added to the VPN Community automatically.
When using an external Classic Load Balancer for the inbound traffic, targets are not healthy.	Ensure that the health checks are configured as follows: Ping Target: Protocol:Instance_Port (for example, TCP:9080) Timeout: 5 seconds Interval: 30 seconds Unhealthy threshold: 3