reason TCP connectivity failure 18191

[Ercola]

Hi,

On a CheckPoint FW-1 NG AI, when i try to install the policy to the Fw-1 module, this error appear in the Installation process Window: "Reason TCP connectivity failure 18919 error 10".
The firewall is still working but it's impossible to install a new policy. I find a way to resolve but it's not very good: Restart the firewall...
I haven't find any documentations about this on the Checkpoint Web site. If someone knows this problem ??

 

[erictheking7]

hi,

we have the same problem. do you have any solution for this problem yet?
could you contact me!

thank you very much

it is very urgent.

greetings

thomas p

 

[Lou0686]

Hi,

I got this from the support site:

Symptoms:

Unable to sucessfuly install security policy on firewall modules.
Error messages are displayed in the Policy Install window during the security policy install.
Error: "TCP connectivity failure on port 18191"
Error: "SmartCenter server aborted connection with peer due to timeout = 300,000 (ms) pot 18191"


Solution

In order to correct the anti-spoofing settings for a particular interface, proceed with the following:

On the SmartDashboard
1. Select Manage > Network Objects
2. In the Network Objects manager, select the firewall module network object from the network objects list
3. Click on Edit
4. In the Check Point Gateway dialog box, select the Topology branch from the left pane
5. In the Topology page, select the appropriate internal interface from the interfaces list
6. Click on Edit
7. In the Interface Properties dialog box, select the Topology tab
8. In the Topology tab, verify that the "Internal (leads to the local network)" option is selected
9. Verify that the "Specific" option is selected in the "IP Addresses behind this interface" section
10. Select the correct network object or group object representing all of the subnets behind this internal interface from the "Specific" drop down list
11. Click on OK in the Interface Properties dialog box
12. Click on OK in the Check Point Gateway dialog box
13. Click on Close in the Network Objects dialog box
14. Reinstall the security policy

Good luck
Lou

 

[ITsmyfault]

I ran into this as well. The basic issue is that your management station can't talk to the enforcement points. Reinstalling the policy would be fine, except you can't - that's what the error is about.
In my case I wound up calling in a guru as I am new to NG and his take was that generally what has happened is one of the following:
1 - rulebase has gotten corrupt somehow
2 - you made a rulebase change that prevented any further contact from the mgt station.

I can't find my notes on the exact syntax.. but the basic idea is this: on the enforcement point you enter something like "fw unload local" to have it release the policy. Prior to doing this though, go into your log viewer (smartview tracker), click the "audit" tab and look at the last few changes to the rulebase. See if you can figure out what you did (if anything). Note the revision # of that rulebase which is prior to the change. Go to the policy editor and under the FILE menu is "Database Revision Control". Find the version # you want to restore (one prior to your issue!) select it and then select "restore version". Don't push this one until you have unloaded the current policy in effect, but be ready to do it quickly as once you unload the current policy your enforcement point may become a router (depending on your other settings).
Hope this helps!
- Joe

 

[Ercola]

I find the solution on an other web site (phoneboy).
In NG AI, there's a problem with the backup program. It stops correctly the Check Point services but can't restart CPD service. If CPD is not started, it's impossible to install policy.
Solution:
-Go in expert mode (under SecurePlatForm)
-Stop all SmartClients sessions
-Modify the /bin/backup_start file (change attribute for RW)
-Find the line:
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin start" >> ${backup_log_file} 2>&1
-Modify as this:
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd" >> ${backup_log_file} 2>&1
-Modify /bin/backup_start attribute's file (RO)
-Make a backup with the backup command and verify that CPD Processes is running.

Enjoy.
Ercola (FR)