No VPN for you sir! – Faulty vpnd in R75.47 official gaia iso?

Hello,

Am I the only one with problems when it comes to installing the most “stable”/recent Checkpoint GAIA release (R75.47)?

Last month I got a 4800 series appliances cluster and downloaded the official GAIA R75.47 ISO from checkpoint.com and verified the md5 checksum (loads of times by now!).

After I installed the appliances without any problems I continued to configure everything and add the Cluster to our SmartDashboard.

But when I wanted to apply the licenses from the Usercenter via SmartUpdate I got an error telling me the Appliances were out of disk space. Imagine how pleased I was when I verified that the Appliances were actually at 100% disk usage for the /var partition.

As I used “du” to find the source of the disk usage I eventually found thousands of vpnd coredumps (vpnd.XXXX.core, where XXXX is the PID I guess) on the /var partition under /var/log/dump/usermode.

A tail on $FWDIR/vpnd.elg then showed me that the vpnd was constantly crashing and dumping its memory. At least twice a second!

And this was for the soon to be “main vpn firewall”….

After a Support case with Checkpoint I got a “patched” vpnd binary to exchange in my binary folder and the answer that this is not needed for every installation of R75.47 but rather was a special case for this setup.

After I exchanged the vpnd binary and took the cluster productive we had one mayor incident where all our VPN tunnels went down and stayed down until we rebooted the active cluster-member. All tunnels came up as soon as the secondary cluster member became active. When the primary cluster-member rebooted it became master again and all VPN tunnels continued to run. This was 2 weeks ago and everything has been running stable since then.

Different cluster same luck

This week I was installing a second  4800 cluster with the same iso and got the exact same issue. Funny thing is that the policy I pushed to this cluster does not even have a single VPN tunnel configured.

So it seems to me that the most recent, most stable and suggested version for installation has a faulty vpnd binary packed inside the iso download.

I just verified that to this day I am writing this (Oct 16. 2013) the same download is still on the Checkpoint Homepage:

Local download:

localmd5

Checkpoint Download Center:
cpdownload

So my assumption is that this happens at least on all 4800 series appliances but more likely on all 2012 series appliances if not with any Gaia R75.47 installation.

And if this would be the case Checkpoints QA seems to be screwed up!

Am I the only person with this issue in R75.47? Are there any R75.47 installations out there that did not run in this exact issue?

If so feel free to leave a comment and state the platform you installed it on.

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in Checkpoint and tagged , , , , , , , , , . Bookmark the permalink.

4 Responses to No VPN for you sir! – Faulty vpnd in R75.47 official gaia iso?

  1. Haybesret says:

    Hi, seem typical to checkpoint.
    What was the special case you mention to checkpoint’s support?
    I am goin to upgrade my 4200 in two weeks.
    Did you consider upgrading to the latest 77.10 ?
    Thanks,

    • SebastianB says:

      Hi,

      the VPN Daemon is running rock solid since we applied the patch so we are sticking with R75.47 now.

      With “special case” i was refering to the fact that checkpoint support said the patch was specifically needed for my environment and should not be needed for every setup…

      Regards
      Sebastian

  2. Johnathan says:

    I am running R75.47 on Appliance 2200 withouth any issues. I wonder if the vpnd patch was included in the R75.47 jumbo hotfix package, however we ran for quite some time withouth it also.

    • SebastianB says:

      Hey,

      are you terminating VPNs on that box?

      Also if you have applied a jumpo fix it is very likely this patched the vpnd binary.

      You can extract the vpnd binary from your installation media and compare the md5 to your current one.

      Also compare the md5 of your installation ISO to the one in my post. I heard that checkpoint even switches ISO’s without warning (not sure about this tough).

      Regards
      Sebastian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s