Solved: SD-WAN Failed to enforce new policy

RS_Daniel · ‎2023-10-04

Hello CheckMates,

We are running a PoC in a customer enviroment for Quantum-SDWAN. We are testing WAN connectivity between a central 5600 cluster (R81.20 jumbo 24) and a branch cluster with 2 X SMB 1600 gateways version R81.10.08. All the enrollment went ok but at some point the SMB cluster stopped updating SDWAN policy. We get this error on /var/log/nano_agent/cp-nano-sdwan.dbg:

Failed to load gateway database: Got error running cpsdwan command /opt/fw1/bin/cpsdwan get_data Failed to enforce new policy.(Return code: 5).

I have tried reinstalling the nano agent, fetching new sdwan policy manually and upgrading the gateways (before they were in version R81.10.07) but no luck. sk181147 suggests to contac TAC, but this is a PoC so no valid license for SD-WAN rigth now. Maybe some hint to fix this? Management is running R81.20 jumbo take 24. Thanks in advance.

Regards

AmirArama · ‎2023-10-05

Issue was due to SMC topology misconfiguration.
Issue solved.

View solution in original post

orlib · ‎2023-10-05

Hi,

Please see about reestablishing SIC as is suggested below...

Thanks. O

orlib · ‎2023-10-05

Hi,

It seems I responded with image, but this needs approval, so in any case...

This may mean that the connection between the Mgmt. and GW is not properly initialized, as perhaps something was done along the way. Please check the SIC status, and in case SIC not properly working, see about resetting the SIC in the SMC, and installing policy, and see if this resolves the issue.

You should also see in the Infinity Portal Events, the reason for the policy failure, and a suggested remediation for this.

Please let us know if this helps. Thanks 🙂

RS_Daniel · ‎2023-10-05

Hello @orlib ,

Thanks for the suggestion. As you said, Infinity portal showed that recommnedation "Reset the Security Gateway SIC via the SmartConsole management UI, and install Policy to apply the changes.If the issue persists, contact Check Point Support." but SIC was working Ok and we are able to push policy without problems. I tried reset SIC on standby member to test and after reset SIC, SD-WAN policy is still on version 11 (current version is 14). Also tried cpsdwan fetch_new, it ends with a success message, but policy version is still 11.

[Expert@hostname02]# cpsdwan fetch_new
Fetch new policy succeeded
[Expert@hostname02]# cpsdwan stat
SD-WAN Policy Status:
Policy Version: 11
SD-WAN Policy ID: 1692836744
SD-WAN Steering Policy ID: 7270678452947124226 (2)
Policy Installation Date and Time: 05/10/2023 08:37:49.657
[Expert@hostanem02]#

It is strange that it worked ok until version 11, something happened after that but i can't imagine what.

AmirArama · ‎2023-10-05

could you please share the output of cpnano -s
and the content of the following file:
cat /etc/cp/conf/orchestration/orchestration.policy

RS_Daniel · ‎2023-10-05

Hello @AmirArama,

Output of those two commands below:

[Expert@hostname01]# cpnano -s
---- Check Point Nano Agent ----
Version: 1.2338.677606
Status: Running
Last update attempt: 2023-10-05T10:16:24.934415
Last update status: Succeeded
Last update: 2023-10-05T10:16:25.003476
Last manifest update: 2023-10-04T14:05:13.718521
Policy version:
Last policy update: 2023-10-05T10:16:25.003566
Last settings update: 2023-10-04T14:03:56.617593
Upgrade mode: automatic
Fog address: https://inext-agents-us.cloud.ngen.checkpoint.com
Registration status: Succeeded
Registration details:
Name: hostname01
Type: Quantum
Platform: smb_thx_v3
Architecture: aarch64
Agent ID: 97a53f35-20a6-4f00-be0f-5a17e0a32500
Profile ID: dcc34cf1-aad7-2a9a-d258-23b43342580f
Tenant ID: e9b926cc-e662-4853-8909-4b9322282c24
Manifest status: Succeeded
Service policy:
registration-data: /etc/cp/conf/registration-data/registration-data.policy
sdwan: /etc/cp/conf/sdwan/sdwan.policy
versions: /etc/cp/conf/versions/versions.policy
Service settings:

---- Check Point Orchestration Nano Service ----
Type: Public, Version: 1.2338.677606, Created at: 2023-09-18T13:49:18+0300
Status: Running

---- Check Point SD-WAN Nano Service ----
Type: Public, Version: 1.2338.677606, Created at: 2023-09-18T13:49:18+0300
Status: Running

---- Check Point SD-WAN Logger Nano Service ----
Type: Public, Version: 1.2338.677606, Created at: 2023-09-18T13:49:18+0300
Status: Running

---- Check Point Cpview Metric Provider Nano Service ----
Type: Public, Version: 1.2338.677606, Created at: 2023-09-18T13:49:18+0300
Status: Running

+--------------------------------------+--------------------------------+---------+
| ID | Name | Version |
+--------------------------------------+--------------------------------+---------+
| | | v |
+--------------------------------------+--------------------------------+---------+
[Expert@hostname01]#

[Expert@hostname01]# cat /etc/cp/conf/orchestration/orchestration.policy
{"fog-address":"https://inext-agents-us.cloud.ngen.checkpoint.com","pulling-interval":30,"error-pulling-interval":30}[Expert@hostname01]#

Thanks!

AmirArama · ‎2023-10-05

Thanks,

i would like to take a look and investigate it,

Please send me an email to: amirar@checkpoint.com

AmirArama · ‎2023-10-05

Issue was due to SMC topology misconfiguration.
Issue solved.

Are you a member of CheckMates?

SD-WAN Failed to enforce new policy