Important Notes for R81.20 Jumbo Hotfix Accumulator

Issue Resolved in Affected Takes

SK

Reference

In Maestro and Chassis environment, a boot loop may occur and after several boot attempts, the cluster member state is displayed as "detached" or "lost" in these scenarios:

  • After downgrading from R81.20 Jumbo Hotfix Accumulator Take 89 or higher to Take 14 or below.

  • After downgrading from R81.20 Jumbo Hotfix Accumulator Take 89 or higher to the GA (General Availability) version.

To prevent this issue:

  • Install R81.20 Jumbo Hotfix Accumulator Take 89 or higher only if you already installed Take 24 or higher.

If you experience the issue, contact Check Point Support for assistance.

Take 89

The latest policy may fail to load upon reboot and the default filter policy is loaded instead, in these scenarios:

  • After downgrading from R81.20 Jumbo Hotfix Accumulator Take 89 or higher to Take 14 or below.

  • After downgrading from R81.20 Jumbo Hotfix Accumulator Take 89 or higher to the GA (General Availability) version.

To resolve this issue:

  1. Navigate to your last Access Policy.

  2. Right-click the Gateway object.

  3. Select "Do not install policy acceleration".

  4. Perform a full access policy installation.

Take 89

In some scenarios, outdated firmware versions on Mellanox cards may conflict with a newer interface driver software. This can potentially lead to system downtime.

Starting from Take 38

sk182403

The Multi-Version Cluster feature is enabled by default to prevent traffic loss after a failover from a cluster member running a lower Jumbo Hotfix version.

Take 14

PRJ-44444

If the Multi-Version Cluster feature is disabled, cluster members running R81.20 GA or R81.20 with Jumbo Hotfix Accumulator Take 8 / Take 10 cannot synchronize with members upgraded to Take 14 and higher.

Take 8,

Take 10,

Take 14

PRJ-44444

After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one.

Starting from Take 54

PRJ-57058

The Security Gateway may drop the traffic on specific interfaces when both the QoS blade and the ISP Redundancy Load Sharing feature are simultaneously enabled.

Take 90

Take 79,

Take 84,

Take 89

sk182807

PRJ-58078

After an upgrade on the first member of VSX Cluster with VLANs, the member state may become unstable. Although this is a cosmetic issue and does not impact traffic flow or failover functionality, we recommend to follow the steps from sk182819 in order to proceed with the installation.

Take 90

Take 89

sk182819

PRJ-58112

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

Take 89

Starting from Take 70

PRJ-57426

Memory leak may occur in SecureXL templates.

Take 89

Starting from Take 70

sk182648

PRJ-57108

In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when the Compliance Blade is enabled and the scheduled full scan is not configured according to sk182507.

Take 84

Take 76,

Take 79

PRJ-56858

The FWM process may exit shortly after startup if the Compliance blade is enabled and scheduled to perform nightly scans.

Take 76

Take 70

sk182507

PRJ-56150

Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace.

Take 76

Take 70

PRJ-55953

• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/.

• The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.

• PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities.

Take 70

Starting from Take 14

sk182463

PRJ-55518

SSL Network Extender (SNX) may encounter connectivity issues after installing Jumbo Hotfix Accumulator.

Take 70

Take 41,

Take 43,

Take 45,

Take 53,

Take 54,

Take 65

sk181805

PRJ-52048

Wrong interface names on the 9400 appliance after installing R81.20 Jumbo Hotfix Accumulator Take 54.

Take 65

Take 54

sk182265

PRJ-54482

During an upgrade from R80.40 to R81.20 in a cluster environment, connectivity to the new member may be lost.

Take 65

Take 43,

Take 45,

Take 53,

Take 54

PRJ-54611

R81.20 Jumbo Hotfix Accumulator Take 43 (or higher) installation fails on the Endpoint Security Management Server with "Internal error in a hook script".

Take 65

Take 43,

Take 45,

Take 53,

Take 54

sk182210

PRJ-53184

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

Take 53

Take 43,

Take 45

PRJ-53367

The Security Gateway with 40 cores fails to boot in Kernel Mode Firewall.

Take 53

Take 43,

Take 45

sk181989

PRJ-52910

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

Take 53

Take 43,

Take 45

PRJ-52984

Security Gateway with Anti-Virus enabled may sporadically crash because of memory corruption.

Take 53

Take 43,

Take 45

PRJ-53592

The CXLD process may consume the CPU at 70%-100% on VSX cluster members.

Take 45

Take 43

sk181891

PRJ-52492

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched.

Take 45

Take 43

sk167194

PRJ-52559

AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to the R81.20 with Jumbo Hotfix Accumulator.

Take 54

Take 38,

Take 41,

Take 43,

Take 45,

Take 53

sk182112

PRJ-53729

Sizing of IP ranges in NSgroups may affect CPU and memory usage of the CloudGuard Controller process and cause a high load on the environment.

Take 41

Take 26

sk181614

PRJ-50418

After an upgrade, CloudGuard Central Licenses may be removed from the CloudGuard Central License pool on the Security Management and from the Security Gateways.

For customers who use CloudGuard Central license utility, we recommend to upgrade directly to Take 38. If you upgrade to Take 26 and then to Take 38, the procedure in sk181500 is mandatory.

Take 38

Take 26

sk181500

PRJ-49933

When BGP local address is configured, BGP peer may fail to establish.

Take 38

Take 26

PRJ-49906

In the read-only mode in SmartConsole, the "Where used failed" error appears when you right-click an object in the security policy and select "Where Used" from the drop-down menu or use the "where-used" Management API command.

Take 38

Take 26

sk181471

PRJ-49205

IPv6 connections do not survive failover. Cluster members running R81.20 or R81.20 with Jumbo Hotfix Accumulator Take 8 / Take 10 cannot synchronize IPv6 data with members upgraded to Take 14 and Take 24.

Take 26

Take 8,

Take 10,

Take 14,

Take 24

PRJ-46224

When the target object name is long and contains underscore or dash characters, policy installation may fail with "Target is not defined in the database".

  • Note that the issue is more likely to occur when using Cloud Management Extension (CME), which automatically adds underscore and dash characters to the target names when creating a scale-set instance.

Take 24

Take 8,

Take 10,

Take 14

PRJ-47103

After installing R81.20 Jumbo Hotfix Accumulator Take 8 on Maestro Security Group Members (SGMs), they may reboot several times and stay in Down state with a "Configuration" pnote. This issue occurs on Maestro SGMs with Identity Awareness enabled and SGMs configured to learn Identities from remote PDPs.

Take 10

Take 8

sk180862

PRJ-45903