Troubleshooting and Fault Handling

You can view reported faults from Check Point CloudGuard for ACI solution on the APIC Server Web UI.

The faults show on:

  • The L4-L7 Device page in the APIC Server Web UI.

    • To view these faults, select the designated tenant > L4-L7 Services > L4-L7 Devices, and select the L4-L7 device.

  • The Deployed Device page in the APIC Server Web UI.

    • To view these faults, select the designated tenant > L4-L7 Services > Deployed Devices, and select the L4-L7 device instance.

To make sure the L4-L7 CloudGuard service insertion provisioning works properly, there must always be communication between APIC and the Management, and between the Management and the gateways.

Before you start the troubleshooting process:

  • Make sure there is communication between APIC and the Management and between the Management and the gateways.

  • Close all VSX and Virtual System objects in SmartConsole and publish your changes.

  • Make sure the Management and the gateway have a valid license installed.

These are the main faults that can occur when you do the L4-L7 CloudGuard service insertion:

Message

Fault Definition

Mitigation

Pending deployment:

ERROR: Failed to retrieve VSX information

Failed to read information from the VSX.

Confirm there is connectivity between the Check Point Security Management Server and the gateway. Make sure VSX is up and running.

Pending deployment: ERROR: Failed to read VS ID

Failed to read the VS ID.

Confirm there is connectivity between the Check Point Security Management Server and the gateway. Make sure VSX is up and running.

Pending deployment: ERROR: Failed to read VSX IP

Failed to read the VSX IP.

Confirm there is connectivity between the Check Point Security Management Server and the gateway. Make sure VSX is up and running.

Pending deployment: ERROR: Failed to set interface MTU

Failure setting interface MTU according to the External Routed Network settings.

Check the External Routed Network settings.

Pending deployment: ERROR: Administrator does not have permission to perform the VSX provisioning operations.

Administrator level permission does not allow for the performance of VSX provisioning operations.

Check the permissions of the R80 Administrator that are used on APIC.

Pending deployment: ERROR: Policy Package does not exist

Policy package does not exist on the management.

Check the policy package name (and domain name if MDS) on the device parameter configuration on APIC.

Pending deployment: ERROR: Security Domain does not exist

Security Domain does not exist on the MDS.

Check the domain name on the device parameter configuration on APIC.

Pending deployment: ERROR: Security Domain field is empty while using MDS

Security Domain name was not sent to the MDS.

Verify the security domain name field is set with the specific domain name.

Pending deployment: ERROR: Interfaces are already allocated to two different bridges

Graph internal and external interfaces are already allocated to two different bridges.

Check the contracts between EPGs\BDs. Make sure each BD is allocated to one L2 contract.

 

Pending deployment: ERROR: Network address is not in the expected format <IP Address><Mask Length>

Format used for the network address is not supported.

Try the following network address format: IP address/mask length in the device parameter configuration on APIC.

Pending deployment: ERROR: Failed to apply configuration on the Gateway

Configuration was not applied on the gateway.

Check the gateway configurations and device parameter configuration on APIC. Make sure there are no conflicts.

Pending deployment: ERROR: Could not read Gateway management IP

Failed to read the gateway management IP from the management database.

Check the gateway configurations in SmartConsole.

 

Pending deployment: ERROR: Could not ready Gateway Policy Package name

Failed to read the gateway policy package name from the gateway.

Make sure the policy was successfully, manually installed on the gateway. Make sure allow communication with the gateway is enabled on the policy, cprid

Example:

Source

Destination

Service

***

***

Port: 18208

 

Pending deployment: ERROR: Failed to removed Security Gateway interface

Failure to removed security gateway interface from the management database.

Contact Check Point support.

Pending deployment: ERROR: Failed to update interface address, interface not found on the database

Failure to find existing interface on the management database.

Contact Check Point support.

Pending deployment: ERROR: Failed to update interface address on the database

Failure to update an existing interface on the management database.

Contact Check Point support.

Pending deployment: ERROR: Failed to add bridge. Interfaces are already allocated to two different bridges

Graph internal and external interfaces are already allocated to two different bridges according to the management database.

Check the contracts between EPGs\BDs. Make sure each BD is allocated to one L2 contract.

Contact Check Point support.

Pending deployment: ERROR: Failed to update bridge interfaces

Failure to find interface on the management database, or it was found and failed to update.

Contact Check Point support.

Pending deployment: ERROR: Could not add interface to the bridge, bridge already connected to two interfaces

Failure to add an interface to a bridge because it already has two interfaces.

Check the contracts between EPGs\BDs. Make sure each BD is allocated to one L2 contract.

Pending deployment: ERROR: Failed to read Gateway UID

Gateway UID not found in the database.

Contact Check Point support.

Pending deployment: ERROR: Failed to read Gateway information from the Database

Gateway name not found in the database.

Check the gateway configurations in SmartConsole.

Contact Check Point support.

Pending deployment: ERROR: Could not read Gateway information from the Database

Failure to find the gateway information on the database.

Check the gateway configurations in SmartConsole.

Contact Check Point support.

Pending deployment: ERROR: Cluster should not have more than six members

There are more than six members in the cluster.

Confirm there are no more than six members in each Cluster.

Pending deployment: ERROR: Failed to read Gateway configuration

Failure to read the gateway configuration from the gateway/cluster member.

Make sure there is connectivity between the Check Point Security Management Server and the gateway.

Make sure allow communication with the gateway is enabled on the policy, cprid

Example:

Source

Destination

Service

***

***

Port: 18208

 

Pending deployment: ERROR: Could not run configuration commands file, gateway IP is missing

Gateway/cluster member IP is missing.

Contact Check Point support.

Pending deployment: ERROR: Fail to copy configuration commands file to the gateway

Failure to copy the filed to the gateway.

Make sure the policy was successfully, manually installed on the gateway. Make sure allow communication with the gateway is enabled on the policy, cprid

Example:

Source

Destination

Service

***

***

Port: 18208

 

Pending deployment: ERROR: Failed to write configuration commands file

Failure to write configuration commands file.

Contact Check Point support.

Pending deployment: ERROR: Gateway already has different Router ID

Gateway already has a different router ID.

Check the External Routed Network settings. Make sure the router ID is set correctly. See OSPF limitation.

Pending deployment: ERROR: Gateway can have only one Router ID

Graph information has two different router IDs.

Check the External Routed Network settings.

Pending deployment: ERROR: Error wrong Authentication Type

Unknown OSPF authentication was sent to the management.

Check the External Routed Network settings.

Pending deployment: ERROR: No key for OSPF Plain Authentication Type

Key was not sent to the management when the OSPF Plain Authentication Type was set.

Check the External Routed Network settings.

Pending deployment: ERROR: Failed to read cluster's members

Cannot read the cluster members from the management database.

Check the cluster member information on SmartConsole.

Pending deployment: ERROR: GW object does not exist

Failure to find Security Gateway/VSX object that you tried to add.

Check the L4-L7 Device cluster name on APIC. Make sure you use the same name for the Security Gateway/VSX object, on SmartConsole.

OSPF MD5 authentication is not supported

OSPF MD5 authentication was set on the External Routed Network.

OSPF MD5 authentication is not supported. Modify the OSPF authentication type.

OSPF with IPv6 is not supported on this version

IPv6 was set on the External Routed Network with OSPF enabled.

OSPF with IPv6 is not supported on this version.

Check the External Routed Network settings.

Service-BD-Address must be in the FW-Interface-Address network

In PBR parameters, Service-BD-Address is not in the same network as FW-Interface-Address.

Check the device parameter configuration on APIC.

Redistribute of ospf or bgp is not supported

Redistribute of OSPF or BGP was set on External Routed Network with OSPF enabled.

Redistribution of OSPF or BGP is not supported.

Check the External Routed Network settings.

Unhandled response from server. Please verify management address and port are correct. If issue persists, please contact support

Failure to receive a response from the server.

Verify the management address and the port are set correctly on APIC.

Make sure there is connectivity between the Check Point Security Management Server and APIC.

Contact Check Point support.

Failed to connect to the CloudGuard service. Please verify that the management is reachable.

Failure to connect to the CloudGuard service on the management.

Make sure there is connectivity between the Check Point Security Management Server and APIC.

Failed deployment: This device is already used by another Service Profile

Device is already being used by another function.

Check the device parameter configuration on APIC. check the service graphs used in the gateway/VS contracts. Make sure only one service profile was used.

(NGFW_L3, NGFW_L2 or NGFW_PBR)

Failed deployment: This device can deploy only one PBR graph

Trying to deploy more than one PBR graph and device can deploy only one.

Check the device parameter configuration on APIC. See PBR limitation.

Note - For faults related to CloudGuard L4-L7 service insertion not listed in this table, contact Check Point support.

Multi-Tenancy

Check Point CloudGuard for ACI supports multi-tenancy. It uses Check Point VSX on the gateway side, and multi-domain management on the Security Management Server side.

With the VSX infrastructure, Virtual Systems are created automatically by APIC instruction and configured to process the designated traffic.

Virtual Systems are completely separated instances that can run their own security policy and networking configuration.

Virtual Systems contained by the same L4-L7 device can be deployed on separate tenants.