Support Center > Search Results > SecureKnowledge Details
VPND daemon crashes after installing R77.30 Jumbo Hotfix Accumulator over R77.30 Recommended Hotfix #5
Symptoms
  • VPND daemon crashes after installing R77.30 Jumbo Hotfix Accumulator over R77.30 Recommended Hotfix #5.

  • $FWDIR/log/vpnd.elg file shows that VPND daemon is constantly restarting.

    Example:

    [vpnd <PID1> ...]@HostName[Date Time] ------------ VPND Starting: Fri Apr 29 11:55:25 2016
    
    [ <PID1>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    [ <PID1>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    [vpnd <PID2> ...]@HostName[Date Time] vpnd: Fri Apr 29 11:55:34 2016
    
    [vpnd <PID2> ...]@HostName[Date Time] ------------ VPND Starting: Fri Apr 29 11:55:34 2016
    
    [ <PID2>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    [ <PID2>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    [vpnd <PID3> ...]@HostName[Date Time] vpnd: Fri Apr 29 11:55:43 2016
    
    [vpnd <PID3> ...]@HostName[Date Time] ------------ VPND Starting: Fri Apr 29 11:55:43 2016
    
    [ <PID3>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    [ <PID3>][Date Time][] UDPProtocol::SetSocketOpt: SOL_RCVBUF set to 9242880
    ...
    
  • Output of ls -l $FWDIR/bin/vpn* command shows that the VPND and VPN6 are binary files and not symbolic links to VPN binary file.

    • Current (problematic) scenario:
      [Expert@HostName:0]# ls -l $FWDIR/bin/vpn* 
      
      -rwxrwx--- 1 admin bin SIZE MMM DD  YYYY /opt/CPsuite-R77/fw1/bin/vpn
      -rwxrwx--- 1 admin bin SIZE Nov 24  13:04 /opt/CPsuite-R77/fw1/bin/vpn6
      -rwxrwx--- 1 admin bin SIZE Nov 24  13:04 /opt/CPsuite-R77/fw1/bin/vpnd
      
    • Expected scenario:
      [Expert@HostName:0]# ls -l $FWDIR/bin/vpn* 
      
      -rwxrwx--- 1 admin bin SIZE MMM DD  YYYY /opt/CPsuite-R77/fw1/bin/vpn
      lrwxrwxrwx 1 admin bin    3 MMM DD HH:MM /opt/CPsuite-R77/fw1/bin/vpn6 -> vpn
      lrwxrwxrwx 1 admin bin    3 MMM DD HH:MM /opt/CPsuite-R77/fw1/bin/vpnd -> vpn
      
  • Output of cpvinfo $FWDIR/bin/vpn* | grep -E "Build|Minor" command shows that VPND and VPN6 files have different "Minor Release" ("R77_30_HF5") than VPN binary file ("R77_30_jumbo_hf").

    • Current (problematic) scenario:
      [Expert@HostName:0]# for FILE in $(ls -1 $FWDIR/bin/vpn*) ; do echo ${FILE}: ; cpvinfo ${FILE} | grep -E "Build|Minor" ; done
      
      /opt/CPsuite-R77/fw1/bin/vpn:
      Build Number = <xxx>
      Minor Release = R77_30_jumbo_hf
      /opt/CPsuite-R77/fw1/bin/vpn6:
      Build Number = 990008002
      Minor Release = R77_30_HF5
      /opt/CPsuite-R77/fw1/bin/vpnd:
      Build Number = 990008002
      Minor Release = R77_30_HF5
      
    • Expected scenario:
      [Expert@HostName:0]# for FILE in $(ls -1 $FWDIR/bin/vpn*) ; do echo ${FILE}: ; cpvinfo ${FILE} | grep -E "Build|Minor" ; done
      
      /opt/CPsuite-R77/fw1/bin/vpn:
      Build Number = <xxx>
      Minor Release = R77_30_jumbo_hf
      /opt/CPsuite-R77/fw1/bin/vpn6:
      Build Number = <xxx>
      Minor Release = R77_30_jumbo_hf
      /opt/CPsuite-R77/fw1/bin/vpnd:
      Build Number = <xxx>
      Minor Release = R77_30_jumbo_hf
      
  • Multi-Portals (e.g., Gaia Portal, Identity Awareness Portal, Mobile Access Portal) are not accessible anymore over HTTPS.

Cause

Chain of events in the case that was reported to Check Point Support:

  1. sk108192: R77.30 - Security and stability enhancements for Security Gateway (Hotfix #5) was installed in the past using CPUSE Online / Offline procedure.
    CPUSE Agent installed the new VPN binary file and copied this binary file as VPND file and VPN6 file instead of leaving the VPND file and VPN6 file as symbolic links to the VPN binary file.
  2. R77.30 Jumbo Hotfix Accumulator was installed (regardless if using CPUSE, or Legacy CLI).
    CPUSE Agent installed the new VPN binary file, but did not replace the VPND and VPN6 binary files because they are supposed to be symbolic links to the VPN binary file.
    In addition, CPUSE Agent installed other relevant library files. 
  3. Since VPND file is executed by its explicit name, there was a mismatch between the "older" VPND binary file and "newer" library files, which caused the VPND binary file to crash with Segmentation fault.
  4. Since VPN binary file, which is executed by the explicit name VPND, also handles the SSL handshake for Multi-Portals over HTTPS, those portals become inaccessible.

Solution
Note: To view this solution you need to Sign In .