The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Maestro R80.30SP Jumbo Hotfix Accumulator
Platform / Model
6000, 7000, 16000, 26000, 28000
Table of Contents:
Resolved Issues per Take
R80.30SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.30SP.
This Incremental Hotfix and article will be updated periodically with new fixes.
The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this Take was released appears next to the Take number.
UPDATE: Added configurable protection for blocking brute-force attacks on VPN's SNX portal. Refer to sk180271.
MBS-15065, MBS 14488
All Security Group Members but the SMO may go into the "Down" state after an Anti-Malware policy installation fails. Refer to sk177607.
CPUSE upgrade packages are not available when working in "High Availability over Load Sharing" mode with VPN enabled.
In some scenarios, the sp_upgrade script does not recognize that a Security Gateway is in VSX mode. As a result, the upgrade fails.
In rare scenarios, when you change the number of CoreXL instances in a VS, the procedure fails, and the SMO goes down (SMO failover occurs). Then the modified VS does not run on the SMO.
Rebooting the applicable SGM or executing the "cpstart" command from the applicable VS returns the SMO to the ACTIVE state.
After an upgrade to Jumbo Hotfix Accumulator R80.30SP Take 97 or Take 101, a member may be in Down state with a "pull_config" pnote.
Take 101 (03 February 2022)
The clock verifier test (clock_verifier -v) does not work.
In the VSLS mode, you cannot configure the Security Group to forward specific inbound connections to the SMO with the "asg_excp_conf" command.
ADLOG stops working during policy installation.
When the user connects more than one cluster to the same network segment (see sk25977), port flapping can occur because two different cluster members have the same correction MAC address.
Changing the VLAN ID of an existing interface might cause a traffic interruption. See sk176929.
Security Group Members may drop internal connections over the sync interface because the kernel table "cluster_members_ips" is empty. See sk176404.
Improved the stability of the Gaia backup functionality in Scalable Platforms.
In some scenarios, link flapping on a Maestro Gateway may cause an unexpected site failover, cluster state flapping on the other Gateways, or packet drops.
In a rare scenario, the CPD process may crash during policy installation. The issue occurs from Take 82 of the R80.30SP Jumbo Hotfix Accumulator.
The Message of the Day (MOTD) is not updated with the results of the "asg diag verify" command when the default shell is gClish (see sk175963).
When the user runs the "reconfigure_snmp_alerts" script with the "/usr/scripts/reconfigure_snmp_alerts" command, the script does not correctly parse authentication passwords that include a ">" character.
The "ip_block" command now supports comments using the "#" character in the feed file and ignores the lines that start with this character.
Take 97 (30 November 2021)
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 237 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
The R80.30SP Jumbo Hotfix Accumulator supports upgrade to R81.10.
In a Dual Site Maestro environment, traffic is interrupted intermittently when a Domain object is used in the Rule Base.
Multicast traffic may cause high CPU load on all SGMs.
Security Group might drop traffic (drops by PSL) when it passes over a Bridge interface and failover occurs.
Added IPv6 dynamic routing support.
Changes to IPv6 link-local addresses:
By default, all Chassis / Sites in the Security Group will have the same IPv6 link-local address for a given logical interface (previously, each Chassis / Site had its own IPv6 link-local address due to different MAC addresses).
By default, all VLANs on a particular physical interface will have unique IPv6 link-local addresses (previously, each VLAN shared the same IPv6 link-local address as the parent physical interface).
Take 82 (05 September 2021)
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 317 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Enhancement: The asg perf command calculates memory use differently from CPView. For the most accurate value, refer to the output of the asg perf command.
Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops.
In rare scenarios, the core dump files are created for the fw_full process.
Take 75 (06 April 2021)
During a gradual Jumbo Hotfix upgrade on a Security Group’s Gateways, LACP bond slaves may get suspended if there are active Gateways in the same Security Group and in the same site with different Jumbo Hotfix versions. The issue may continue until the upgrade completes and all of the Gateways’ Jumbo Hotfix versions are aligned.
Take 73 (07 March 2021)
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 310 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_sp command to cpdata_collector.
Enhancement: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems. Configuration in Gaia gClish:
Run: g_all "vsx mstat enable"
Run: g_all "reboot"
Configure SNMP v3 in the VS mode as described in sk90860.
SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:
Number of concurrent connections - 22.214.171.124.4.1.26126.96.36.199.30.10.1.* Physical memory - 188.8.131.52.4.1.26184.108.40.206.40.10.1.* Packet rate - 220.127.116.11.4.1.2618.104.22.168.80.10.1.* Throughput - 22.214.171.124.4.1.26126.96.36.199.90.10.1.* Interface packet rate - 188.8.131.52.4.1.26184.108.40.206.100.10.1.* Connection rate - 220.127.116.11.4.1.2618.104.22.168.120.10.1.* Virtual memory - 22.214.171.124.4.1.26126.96.36.199.130.10.1.* SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members: Total number of concurrent connections - 188.8.131.52.4.1.26184.108.40.206.30.20 Total packet rate - 220.127.116.11.4.1.2618.104.22.168.80.20 Total throughput - 22.214.171.124.4.1.26126.96.36.199.90.20 Total connection rate - 188.8.131.52.4.1.26184.108.40.206.120.20
Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
Enhancement: Added support for the Threat Extraction Software Blade in VSX mode
While a Security Group Member reboots, some existing connections can fail on the Security Group. See sk169765.
In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.
Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID.
Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
Improved the stability of the VPND process when a "CCCclientRequest" packet is sent.
Commands in Gaia gClish fail with: CLINFR0739 error in command execution; see "/var/log/messages" The /var/log/messages file shows: clish[<PID>]: timeout on read from all remote nodes; connections lost Refer to sk170301.
Improved the stability of IP Pool NAT.
Added full support for VSX Virtual Switches.
Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. Refer to sk171917.
In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.30SP Jumbo Hotfix Accumulator.
After a Security Group Member reboot, the output of the "asg monitor" command shows its state as "Detached". See sk169764.
Improved Security Gateway operation during a large number of connections per second.
Improved access to kernel global tables preventing lock contention.
Enabled configuration of more than one CPU core for the MDPS Management plane.
Resolved an issue when a policy installation overrides the MDPS resource configuration. For more information about Management Data Plane Separation (MDPS), see sk138672.
Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
The configuration of Rate Limiting for DoS mitigation in SecureXL (the $FWDIR/conf/fwaccel_dos_rate_on_install script) is not synchronized between Security Group Members.
The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
These Gaia gClish commands do not take effect on all Security Group Members:
set user <username> password-hash
set user <username> force-password-change
Added support for the Management Data Plane Separation (MDPS). See sk138672.
If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file (refer to sk170852): fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).
Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073. Note: This does not apply to VSX mode.
The FWD process stops working randomly on Security Group Members on Scalable Chassis and Maestro (for more information and configuration instructions, see sk168692).
Added support for the SNMP sysOID .220.127.116.11.18.104.22.168.0 for Maestro Orchestrators.
Added support for ISP Redundancy.
Added support for Policy-Based Routing (PBR) in VSX mode.
Static routes with the "ping" option enabled (to ping the next hop gateways) do not appear on some Security Group Members.
Take 56 (26 January 2021)
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 226 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
Improved stability of the FWK daemon.
Improved stability of the QoS Software Blade when an interface goes down and up.
Output of the asg diag command shows that the "License" test fails because of the IPS license.
Output of the asg_license_verifier command shows "ERROR: No license for 'IPS-1' [mandatory feature 'ips']".
After adding a slave interface to a Bond interface, the output of the asg diag command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
The output of the asg_dr_verifier command contains the line cat: /proc/self/vrf: No such file or directory. Refer to sk171073.
Output of the asg monitor command shows that the state of the SMO Security Group Member is "Down".
Output of the cphaprob list command shows that the Critical Device "Pull_config" reports its state as "problem".
The $FWDIR/log/fwd.elg file on the SMO contains this message repeatedly: "fwauthd_init: got known service port XXX ... choosing another one".
Output of the asg monitor command shows that the state of a Security Group Member is "DOWN".
Output of the cphaprob list command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member.
Output of the asg_policy verify -a command shows "Failed" in the "Status" column for the Security Group Member.
Output of the asg_policy verify -a command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
Memory leak may appear in VPN and CPAS configuration. Fix is relevant for Gaia 3.10 only.
Half-closed accelerated TCP connections may take too long time to expire.
Certain scenarios do not free allocated memory after sending a packet from kernel addressing fragment correction.
The output of the ps -aef | grep [d]efunc command shows multiple zombie processes "[sh] <defunct>". The issue occurs after a reboot or policy installation.
Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
Gaia scheduled backup fails to run. The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".
Take 49 (26 October 2020)
If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur:
Output of the asg_perf command is empty.
Output of the cores_verifier command shows "Error: unable to obtain value from smodb".
Output of the cores_verifier command shows "Error: BPEth0 doesn't exist in /proc/interrupts".
Output of the asg monitor -v command shows "0 / 0" in the "Bond" unit. The cluster does not monitor the bond interfaces as part of the site grade.
Mobile Access fails to start on all Security Group Members after the installation of the R80.30SP Jumbo Hotfix Accumulator Take 45.
Take 45 (02 October 2020)
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 295 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Take 32 (07 April 2020)
Take 32 of the R80.30SP Jumbo Hotfix Accumulator blocks its installation on top of the R80.30SP Take 41 and higher image (because all these fixes are already integrated).
Take 31 (10 March 2020) (Take 31 was replaced with Take 32.)
After a snapshot was reverted on a member, the output of the asg diag command may show "Policy signature doesn't match on all SGMs".
Connections may fail, if their packets need to be forwarded internally more than one time.
Output of the asg perf command may show incorrect number of CPU cores that run as CoreXL SND.
Configuration actions may fail in the Gaia Portal of a Maestro Security Group.
Memory leak in the sgm_pmd process.
Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
External interface of a VSX Virtual Switch is not monitored by the VSX cluster. As a result, cluster failover does not occur if there are issues with that interface.
In VSX mode, packets are not forwarded correctly to other members if packets arrive at a wrp interface.
VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 distribution is enabled.