curiousecurity

Yet another blog about info & networking security this and that… Buzzword… Catchphrase…

  • Posts
  • About
  • Career
  • Education
  • Contact
  • LinkedIn
  • GitHub
  • Email
You are here: Home / Firewall / Check Point Firewall – Nokia IPSO CST Hanging or Taking Forever?

Check Point Firewall – Nokia IPSO CST Hanging or Taking Forever?

January 26, 2012 by ryanhorst

BlueCoatIs your Nokia IPSO CST Not finishing?
Trying to run a CST on your Nokia, but seems to be taking forever?

I have had the same issue on various Nokia security appliances running on IPSO 4.2 and older. The problem ended up being hung process that was spawned by the CST program. It seems that CST calls “fw tab -u -t”, and sometimes it just gets hung up, but will look to the user like the whole CST process is just hung. Here is a sample so you can get a visual:

FIREWALL123[admin]# cst
IPSO 3.7x or later kernel found...
CST version 8-19-04
 
======================= N O T I C E:  VOYAGER LOCKS =======================
On IPSO 3.8.1, please make sure you are logged out of Voyager. CST gathers certain 
information from clish, which may not work when there is a configuration lock in place 
established by an active Voyager session.
========================= E N D   O F   N O T I C E    =========================
 
Continue? [y] y
IPSO-4.2-BUILD029 detected...
Generating IPv4 configuration summary...done
Generating IPv6 configuration summary...done
Gathering cpu utilization data...done
Gathering memory utilization data...done
Gathering interface statistics...done
Gathering standard ipsoinfo data...done
Gathering additional ipso information...
   vrrp data...done
   route data...done
   rip data...done
   ospf data...done
   bgp data...done
   dvmrp data...done
   pim data...done
...done
Gathering system logs...ls: cst-FIREWALL123-01.26.2012-1938/logs/messages*: No such file or directory
...done
Processsing vmcore files...none on this system.....done
Gathering firewall data... Invalid flavour 'general' for product 'vpn'. Use 'cpstat' without any arguments to see supported products and flavours.
 Invalid flavour 'fwz' for product 'vpn'. Use 'cpstat' without any arguments to see supported products and flavours.
...done
Fetching cpinfo... 
cpinfo (I:0110):        Beginning ...
cpinfo (I:0116):        Latest cpinfo build: http://www.checkpoint.com/techsupport/downloadsng/utilities.html#cpinfo

—THIS IS WHERE THE CST PROCESS NORMALLY HANGS—

The CST process is performing many operations, and collecting all kinds of data. One piece of data it grabs is some CP tables with “fw tab”, which by checking on it with “ps aux”, will show that it just keeps running due to an undisclosed error within “fw tab”, causing CST operation to hang. So we need to find the PID of “fw tab” (looking for the long-running one) and use the “kill” command to send a signal 15 (SIGTERM) that will terminate the “fw tab” process and allow the CST process to proceed, and finish. So go ahead and open another SSH connection to the firewall, and run a “ps auxw”. The resulting output of “ps auxw” will be similar to the sample below:

FIREWALL123[admin]# ps auxw
USER       PID %CPU %MEM   VSZ  RSS    TT  STAT STARTED       TIME COMMAND
root     26287  0.0  0.0   472  228    p1  R+   8:40PM     0:00.01 ps -auxw
root     20046  0.0  0.0     0    0    ??  Z    -          0:00.00  (clishd)
root     14583  0.0  0.0     0    0    ??  Z    -          0:00.00  (clishd)
root     14584  0.0  0.0     0    0    ??  Z    -          0:00.00  (clishd)

---TRUNCATED---

root     26065  0.0  0.2  2572  1816   p3  I+    7:41PM    0:00.05 /opt/CPinfo-10/bin/cpinfo -o cst-FIREWALL123-01.26.2012-1939/cpinfo.v
root     26232  0.0  4.9  45492 51056  p3  I+    7:42PM    0:07.78 /opt/CPsuite-R65/fw1/bin/fw tab -u -f
root     26274  0.0  0.7  4092  7376   p0  Ss+   8:40PM    0:00.17 /bin/clish
root     26281  0.0  0.2  3016  2140   ??  S     8:40PM    0:00.01 /bin/clishd serving 26274
root     26282  0.0  0.0   496  372    p1  Ss    8:40PM    0:00.02 -/bin/csh
root     12735  0.0  0.0     0    0    ??  Z     -         0:00.00  (clishd)
FIREWALL123[admin]# kill -15 26232

To kill the PID of the long running service, identify the PID number, and execute the “kill PID” command. In our case, we issued “kill 26232”. Once you have killed the PID of “fw tab”, flip back over to your first SSH session, and in a minute or so, the CST process will be finishing up – again refer to the sample:

cpinfo (I:0112):        Embedding files ...
cpinfo (I:0120):        Output file  - cst-FIREWALL123-01.26.2012-1938/cpinfo.FIREWALL123.01.26.2012-1938
cpinfo (I:0111):        Done
done
Creating index...done
Creating archive file...done
Searching for system and process core files...done
Fetching routing daemon state...done
Checking for CST update......none found.
done
Compressing final archive...done
Output saved to cst-FIREWALL123-01.26.2012-1938.tar.gz
FIREWALL123[admin]#

Great, now you should have your CST completed!

ps auxw |grep “fw tab -u -f”

Related

Filed Under: Firewall, Howto Article, Linux, Network Security Tagged With: CheckPoint, CLI