Important Notes for R81.10 Jumbo Hotfix Accumulator

Issue Resolved in Affected Takes

SK

Reference

In some scenarios, outdated firmware versions on Mellanox cards may conflict with a newer interface driver software. This can potentially lead to system downtime.

Starting from Take 131

sk182403

Starting from Take 128, it is possible to import the Database only with upgrade_tool Build #996000540 and higher.

Starting from Take 128

Management data plane separation (MDPS) is not supported with User Space Mode (UPPAK).

Starting from Take 106

Starting from Take 61, Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream) are supported.

Starting from Take 61

sk179432

Uninstalling Take 38 on Maestro Security Gateway may cause a reboot loop.

Starting from Take 38

sk178247

Upon uninstalling Jumbo Hotfix Accumulator, allow re-install of policy on reverted R81.10/R80.20.X Quantum Spark Appliances.

Starting from Take 30

sk178509

Installation of Take 30 or higher on Management / Standalone servers differs from the regular upgrade process:

  • If you installed both Take 9 and Take 14, we recommend skipping Take 22. Install Take 30 or higher on top of Take 14.

  • If you installed Take 9, Take 14 and Take 22, installing Take 30 or higher on this machine is not supported. Contact Check Point Support to get assistance with the upgrade process.

  • Note that uninstalling Take 22 does not resolve the issue.

Starting from Take 14

After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one.

Starting from Take 141

PRJ-57057

The Security Gateway may drop the traffic on specific interfaces when both the QoS blade and the ISP Redundancy Load Sharing feature are simultaneously enabled.

Take 171

Take 158,

Take 165,

Take 169,

Take 170

PRJ-58099

After an upgrade on the first member of VSX Cluster with VLANs, the member state may become unstable. Although this is a cosmetic issue and does not impact traffic flow or failover functionality, we recommend to follow the steps from sk182819 in order to proceed with the installation.

Take 171

Take 170

sk182819

PRJ-58111

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

Take 169

Starting from Take 141

PRJ-57425

Memory leak may occur in SecureXL templates.

Take 169

Starting from Take 141

sk182648

PRJ-57107

In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when the Compliance Blade is enabled and the scheduled full scan is not configured according to sk182507.

Take 165

Take 156,

Take 158

PRJ-56857

The FWM process may exit shortly after startup if the Compliance blade is enabled and scheduled to perform nightly scans.

Take 156

Take 152

sk182507

PRJ-56149

• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/.

• The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.

• PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities.

Take 152

Starting from Take 110

 sk182463

PRJ-55517

SSL Network Extender (SNX) may encounter connectivity issues after installing Jumbo Hotfix Accumulator.

Take 152

Starting Take 128

sk181805

PRJ-52047

SAML authentication may fail after installation of Jumbo Hotfix Accumulator R81.10 Take 113.

Take 152

Starting from Take 113

sk182128

PRJ-53989

Starting from Take 131, a Security Gateway with Anti-Virus enabled can sporadically crash because of memory corruption.

Take 139

Take 131,

Take 132,

Take 135

PRJ-53598

In a Maestro environment, after installing R81.10 Jumbo Hotfix Accumulator Take 135 and a reboot, members may intermittently go down due to MAC flapping.

Take 139

Take 135

PRJ-53287

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

Take 139

Take 131,

Take 132,

Take 135

PRJ-53366

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

Take 135

Take 131,

Take 132

PRJ-52983

The CXLD process may consume the CPU at 70%-100% on VSX cluster members.

Take 132

Take 113,

Take 128,

Take 129,

Take 130,

Take 131

sk181891

PRJ-52491

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched.

Take 132

Take 131

sk167194

PRJ-52558

Sizing of IP ranges in NSgroups may affect CPU and memory usage of the CloudGuard Controller process and cause a high load on the environment.

Take 130

Take 110,

Take 113

sk181614

PRJ-50417

In the read-only mode in SmartConsole, the "Where used failed" error appears when you right-click an object in the security policy and select "Where Used" from the drop-down menu or use the "where-used" Management API command.

Take 128

Take 110,

Take 113

sk181471

PRJ-49204

When BGP local address is configured, BGP peer may fail to establish.

Take 128

Take 110,

Take 113

PRJ-49905

ARP requests sent with VMAC from the Standby member may cause MAC flapping.

Take 128

Take 106,

Take 107,

Take 109,

Take 110,

Take 113

PRJ-50639

In a Maestro/Chassis environment, there maybe a delay during TCP start negotiation for fully accelerated connections (FW only) which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2.

To maintain the original behavior, follow these steps before starting the Jumbo Hotfix Accumulator upgrade:

  • Force the sticky behavior in the Correction Layer in the current session:

    g_fw ctl set int ccl_force_sticky 1

  • Force the sticky behavior in the Correction Layer permanently:

    g_update_conf_file fwkern.conf ccl_force_sticky=1

Take 128

Take 106,

Take 107,

Take 109,

Take 110,

Take 113

sk181464

PRJ-49653,

PMTR-95476

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

Take 109

Take 106,

Take 107

PRJ-47745

When the target object name is long and contains underscore or dash characters, policy installation may fail with "Target is not defined in the database".

  • Note that the issue is more likely to occur when using Cloud Management Extension (CME), which automatically adds underscore and dash characters to the target names when creating a scale-set instance.

Take 107

Take 95,

Take 106

PRJ-47102

If you used Blink image including Take 87 to install Jumbo R81.10, we do not recommend installing Take 93 on top of it, as this may corrupt configuration files. If you did not use this blink, install Take 93 as usual.

Take 94

Takes 87,

Take 93

sk179799

PRJ-45511

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

Take 93

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

PRJ-43959

Uninstalling Jumbo Hotfix from Maestro Orchestrator may cause connectivity issues.

Take 93

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

PRJ-44600

When installing Take 79 and higher, some of the Maestro Orchestrator's (MHO) processes may go down after the first boot.

• This issue can cause connectivity issues.

• If a new Security Group Member (SGM) is added to the Security Group, the SGM may not start the joining process.

Refer to sk180509.

Take 93

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

sk180509

PRJ-44142,

PMTR-89728

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

Take 87

Take 79,

Take 81,

Take 82,

Take 85

 

PRJ-44014,

PMTR-89893

The SNMPD process may consume a high CPU level in a VSX environment and there may be slowness when using the "fw vsx stat" command.

Take 82

Take 79,

Take 81

sk180324

PRJ-43356

After an upgrade, the RADIUS Server is unavailable and authentication fails. To restore the configuration, update one of the RADIUS Server attributes or add a new Server.

Take 82

Take 79,

Take 81

PRJ-43140

After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75 login to the Web Management Server fails and the "API error 9999" message is shown.

Take 81

Take 75,

Take 78,

Take 79

sk180230

PRJ-42687

Pushing configuration to a virtual device in a Maestro VSX environment fails.

Take 79

Take 75,

Take 78

sk180107

PRJ-42180,

PMTR-81701

Take 61 introduces a temporary solution for sk177605 - R80.x Security Gateways do not block traffic when an R81.x Management Server installs a Threat Prevention policy with Security Zone objects. The solution is to fail the Threat Prevention policy installation.

Take 78

Take 61,

Take 66,

Take 75

sk177605

PRJ-35185,

PRJ-35154

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

Take 75

Take 61,

Take 66

PRJ-41446,

PRHF-25374

VSX Gateway with a Virtual Router (VR) or Virtual Switch (VSW) may drop traffic, when IPS Blade enabled.

Take 79

Take 55,

Take 61,

Take 66,

Take 75,

Take 78

PRJ-41957

On 16600 / 28600HS Quantum Maestro appliances, interfaces may disappear after uninstalling the Jumbo Hotfix.

Take 78

Take 55,

Take 61,

Take 66,

Take 75

PRJ-42199

VPN does not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops.

Take 75

Take 55,

Take 61,

Take 66

sk179808

PRJ-39084,

PMTR-79827

When pushing a policy after deleting virtual interfaces, VSX Gateway may crash.

Take 75

Take 55,

Take 61,

Take 66

sk179820

PRJ-40950,

PMTR-85821

If you used Blink image including Take 55 to install Jumbo R81.10, we do not recommend installing Take 66 on top of it, as this may corrupt configuration files. If you did not use this blink, install Take 66 as usual.

Take 75

Take 55,

Take 61,

Take 66

sk179799

PRJ-41205

On Maestro Security Gateway, in some scenarios, the asg_perf_hogs test shows that SecureXL is disabled while it is enabled. We recommend installing the latest HCP Take, which includes these tests.

Take 66

Take 55,

Take 61

sk179424

PRJ-39899

On Maestro Security Gateway, the asg_hw_utilization and asg_resource tests have a broken output. We recommend installing the latest HCP Take, which includes these tests.

Take 61

Take 55

sk179426

PRJ-39951,

PMTR-74569

A ClusterXL upgrade from Jumbo Hotfix Accumulator R80.30 (or lower) to R81.10 Take 55 is not supported. Use a lower or a higher Take.

Take 61

Take 55

sk174510

PRJ-36616,

PMTR-71442

Login or publish operation constantly fails after restarting the Security Management or Multi-Domain Management Server.

Take 55

Take 45

sk178807

PRJ-38877,

PRHF-23554

Remote Access Office Mode IP allocation may fail when using DHCP.

Take 61

Take 38,

Take 44,

Take 45,

Take 55,

Take 61,

Take 75

sk178767

PRJ-38729

SIP flow may fail under high load when SIP Multi-core feature is enabled.

Take 44

Take 38

PRJ-37850,

PRHF-22617

Hardened the ability to use narrowed IKEv2 tunnels.

Take 38

Take 9,

Take 14,

Take 22,

Take 30

sk166417

PRJ-31291,

PRHF-19707