Support Center > Search Results > SecureKnowledge Details
Maestro R80.30SP Jumbo Hotfix Accumulator Technical Level
Solution

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • Resolved Issues per Take
  • Installation Instructions
  • Replaced Files
  • Revision History

Introduction

R80.30SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.30SP.

This Incremental Hotfix and article will be updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this Take was released appears next to the Take number. 

Availability

General Availability Take 

Product  Take Date CPUSE Offline Package
Orchestrator Take 210 and above  02 Dec. 2019 See sk155832
Maestro Gateway Take 49 26 Oct. 2020 (TGZ)

Ongoing Take 

Product  Take Date CPUSE Offline Package
Orchestrator Take 210 and above  02 Dec. 2019 See sk155832
Maestro Gateway Take 75 06 Apr. 2021 (TGZ)

Important Notes

  1. Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.30SP.
  2. Upgrade of CPUSE Agent is not supported on R80.30SP.
  3. R80.30SP is not supported on Orchestrator appliances MHO140 and MHO170. For Orchestrators, use R80.20SP with the Jumbo Hotfix indicated in the table above. 
  4. This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  5. For Gateway installation: All CPUSE commands must be run via gclish shell only.
  6. To check the Take number of the currently installed R80.30SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of the following command: [Expert@HostName:0]# asg_provision
  7. For Known Limitations, refer to sk148074: Known Limitations for Scalable Platform and Maestro Appliances. . 

Resolved Issues per Take

ID Product Description
Take 75 (06 April 2021)
MBS-13520 General During a gradual Jumbo Hotfix upgrade on a Security Group’s Gateways, LACP bond slaves may get suspended if there are active Gateways in the same Security Group and in the same site with different Jumbo Hotfix versions. The issue may continue until the upgrade completes and all of the Gateways’ Jumbo Hotfix versions are aligned.  
Take 73 (07 March 2021)
MBS-13420 General Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 310 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
MBS-12809 General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_sp command to cpdata_collector.
MBS-10123 General Enhancement: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish
:
  1. Run: g_all "vsx mstat enable"
  2. Run: g_all "reboot"
  3. Configure SNMP v3 in the VS mode as described in sk90860.
SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:

Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*
Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*
Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*
Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*
Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*
Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*
Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*

SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members
:
Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20
Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20
Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20
Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20
MBS-12230 General Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
MBS-11953 General Enhancement: Added support for the Threat Extraction Software Blade in VSX mode
MBS-4414 General While a Security Group Member reboots, some existing connections can fail on the Security Group. See sk169765
PRHF-9930 General In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.
MBS-2581 General Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID. 
MBS-12714 General Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
MBS-12669 General Improved the stability of the VPND process when a "CCCclientRequest" packet is sent. 
MBS-12375 General Commands in Gaia gClish fail with:
CLINFR0739 error in command execution; see "/var/log/messages"
The /var/log/messages file shows:
clish[<PID>]: timeout on read from all remote nodes; connections lost
Refer to sk170301
PRHF-14951 General Improved the stability of IP Pool NAT.
MBS-9806 General

Added full support for VSX Virtual Switches.

Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. Refer to sk171917. 

MBS-11367 General In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.30SP Jumbo Hotfix Accumulator.
MBS-9716 General After a Security Group Member reboot, the output of the "asg monitor" command shows its state as "Detached". See sk169764.
PRHF-14952 General Improved Security Gateway operation during a large number of connections per second.
PRHF-14534 General Improved access to kernel global tables preventing lock contention. 
MBS-13328 General
  1. Enabled configuration of more than one CPU core for the MDPS Management plane.
  2. Resolved an issue when a policy installation overrides the MDPS resource configuration. For more information about Management Data Plane Separation (MDPS), see sk138672.
MBS-11674 General Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11670 General The configuration of Rate Limiting for DoS mitigation in SecureXL (the $FWDIR/conf/fwaccel_dos_rate_on_install script) is not synchronized between Security Group Members.
MBS-13282 General The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
MBS-11765 General Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-9767 General VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-11764 General The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11956 General These Gaia gClish commands do not take effect on all Security Group Members:
  • set user <username> password-hash
  • set user <username> force-password-change
MBS-9820 General Added support for the Management Data Plane Separation (MDPS). See sk138672.
MBS-12280 General If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file (refer to sk170852):
fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).    
PRHF-11517 General The FWD process stops working randomly on Security Group Members on Scalable Chassis and Maestro (for more information and configuration instructions, see sk168692).
PRHF-15535, PMTR-65841 Maestro Added support for the SNMP sysOID .1.3.6.1.2.1.1.2.0 for Maestro Orchestrators.
MBS-11960 Networking Added support for ISP Redundancy.
MBS-13224 Gaia OS Added support for Policy-Based Routing (PBR) in VSX mode.
MBS-12143 Gaia OS Static routes with the "ping" option enabled (to ping the next hop gateways) do not appear on some Security Group Members.
Take 56 (26 January 2021)
MBS-12874 General Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 226 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-8558 General Improved stability of the FWK daemon.
PRHF-14900 General Improved stability of the QoS Software Blade when an interface goes down and up.
MBS-12346 General
  • Output of the asg diag command shows that the "License" test fails because of the IPS license.
  • Output of the asg_license_verifier command shows "ERROR: No license for 'IPS-1' [mandatory feature 'ips']". 
MBS-7805 General After adding a slave interface to a Bond interface, the output of the asg diag command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
MBS-11927 General The output of the asg_dr_verifier command contains the line cat: /proc/self/vrf: No such file or directory. Refer to sk171073
MBS-12769 General
  1. Output of the asg monitor command shows that the state of the SMO Security Group Member is "Down".
  2. Output of the cphaprob list command shows that the Critical Device "Pull_config" reports its state as "problem".
  3. The $FWDIR/log/fwd.elg file on the SMO contains this message repeatedly: "fwauthd_init: got known service port XXX ... choosing another one".
MBS-9585 General
  1. Output of the asg monitor command shows that the state of a Security Group Member is "DOWN".
  2. Output of the cphaprob list command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member.
  3. Output of the asg_policy verify -a command shows "Failed" in the "Status" column for the Security Group Member.
  4. Output of the asg_policy verify -a command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
PRHF-14165 General Memory leak may appear in VPN and CPAS configuration.
Fix is relevant for Gaia 3.10 only.
PMTR-62477 General Half-closed accelerated TCP connections may take too long time to expire.
PRHF-14268 General Certain scenarios do not free allocated memory after sending a packet from kernel addressing fragment correction.
MBS-12525 General The output of the ps -aef | grep [d]efunc command shows multiple zombie processes "[sh] <defunct>".
The issue occurs after a reboot or policy installation.
MBS-12490, PMTR-61822 General Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
MBS-12642 Gaia OS Gaia scheduled backup fails to run.
The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".
Take 49 (26 October 2020)
MBS-12224 General If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur:
  • Output of the asg_perf command is empty.
  • Output of the cores_verifier command shows "Error: unable to obtain value from smodb". 
  • Output of the cores_verifier command shows "Error: BPEth0 doesn't exist in /proc/interrupts". 
MBS-12182 Networking Output of the asg monitor -v command shows "0 / 0" in the "Bond" unit. The cluster does not monitor the bond interfaces as part of the site grade.
MBS-12386 Mobile Access Mobile Access fails to start on all Security Group Members after the installation of the R80.30SP Jumbo Hotfix Accumulator Take 45.
Take 45 (02 October 2020)
MBS-11529 General Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-11529 General
  • Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
  • Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 295 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Take 32 (07 April 2020)
MBS-10318 General Take 32 of the R80.30SP Jumbo Hotfix Accumulator blocks its installation on top of the R80.30SP Take 41 and above image (because all these fixes are already integrated).
Take 31 (10 March 2020)
(Take 31 was replaced with Take 32.)
MBS-7208 General After a snapshot was reverted on a member, the output of the asg diag command may show "Policy signature doesn't match on all SGMs".
MBS-9401 General Connections may fail, if their packets need to be forwarded internally more than one time.
MBS-9427 Maestro  Output of the asg perf command may show incorrect number of CPU cores that run as CoreXL SND.
MBS-9582 Maestro Configuration actions may fail in the Gaia Portal of a Maestro Security Group.
MBS-9778 Maestro Memory leak in the sgm_pmd process.
MBS-9838 Maestro Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
MBS-8900 VSX External interface of a VSX Virtual Switch is not monitored by the VSX cluster. As a result, cluster failover does not occur if there are issues with that interface.
MBS-9400 VSX In VSX mode, packets are not forwarded correctly to other members if packets arrive at a wrp interface.
MBS-9354 VPN VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 distribution is enabled.

Installation Instructions

For installation instructions, refer to the "Installing and Uninstalling a Hotfix" section of the Check Point Maestro R80.30SP Administration Guide.  

Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History

Show / Hide this section
Date Description Aligned with R80.30 JHFA Take (sk153152)
06 Apr. 2021 Release of Take 75 Take 226
07 Mar. 2021 Release of Take 73 Take 226
26 Jan. 2021 Release of Take 56 Take 226
26 Oct. 2020 Release of Take 49 Take 215
02 Oct. 2020 Release of Take 45 Take 215
07 Apr. 2020 Release of Take 32 -
10 Mar. 2020 First release of this document (Take 31). -

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment