| ID |
Symptoms |
| General and Installation |
| 00953969 |
During installation of R75.45 HFA on IPSO, this error appears on screen: "Global Params logs send output". |
| 01060112 |
On the Security Management Server running on Windows OS, the migrate export command fails with plugin error due to incorrect name in registry.
Error:
Execution finished with errors. See log file 'C:\Program Files\CheckPoint\R75.40\CPShared\R75.40\log\migrate-ddd_MMM_dd_HH-mm-ss_Year.log' for further details. |
| Automatic Software Updates |
| 01045889 |
If you use Gaia Automatic Software Updates to uninstall R75.45, you must reboot the computer or appliance after the uninstall.
|
| Firewall |
| 00935442 |
Unable to connect to VRRP IP after running "fw unloadlocal" command. Kernel debug shows: "...dropped by fwha_forw_run Reason: Failed to send to another cluster member" |
01047145
|
"X-forward-for" header replacement in Identity Awareness with Application Control does not work - data was stripped.
Messages from kernel debug:
[fw_1];psl_handle_data_replacement: error, replace_tcp_data_f failed
[fw_1];psl_handle_packet: error, psl_handle_data_replacement failed
[fw_1];psl_handle_packet: saving msg "internal error - psl_handle_data_replacement failed" |
01055330
|
Skinny packets drop with error "Malformed SCCP packet - Invalid Reserved field". |
| 01052012 |
The snmpwalk command shows CPU at 100% utilization on 4 clusters. |
| 00968456 |
When using IPS, a memory leak occurs. |
| 00920202 |
Stability issues during memory buffer cleanup. |
| 00992889 |
Enhancement: An option added for profiling packets handled by PSL. The packets are printed when the threshold set by the kernel parameter psl_print_stack_threshold_on_handle_pkt is reached. |
| 00941110 |
routed process periodically crashes during IPv6 Router Discovery. |
| 00894501 |
When creating Bond interfaces, some interfaces do not show on the interface list. |
| 00915830 |
Soft lockup CPU#X gets stuck for 10s, when using VoIP. |
00912429,
01025908 |
Memory leak in FWM daemon. |
| 01081709 |
Using URI Resource with UFP server casues high CPU utilization. |
| 00915764 |
"SKB BUG: Invalid truesize (1586) len=1386, sizeof(sk_buff)=240" warning messages might be seen on a bridge interface. |
| 01025713 |
When CoreXL enabled, the error message "FW-1 form has expired" appears. |
| 00943628 |
Security Policy installation fails with "ERROR: Duplicate keys <xxxxxxxx> in table 'sd_dst_intvl_list'" . Refer to sk83480. |
| 00957127 |
After the upgrade of the Security Management Server to R75.40, the UserCheck logo fails to display on the UserCheck Access Notification page |
| 01062799 |
IPS Bypass is activated when it is not supposed to, while the CPU utilization is still within valid threshold limits. |
| 01053677 |
Scheduled backup using FTP overwrites the last backup. |
| 01084304 |
When running the fwaccel stats -s command, "PXL packets" and "PXL bytes" are shown incorrectly. |
| 00949765 |
IPS logs over 1KB are partially lost when passed to syslogd using the 'logger' command. |
| 01083594 |
CPAS drops TCP connections that support Explicit Congestion Notification (ECN). |
| 01094556 |
In rare cases, URL Filtering causes instability and crashes. |
| 01050063 |
A third-party SNMP viewer shows a warning about a mismatch with the returned values. |
| 00623746 |
Fragmented traffic is lost if the fragmented packets do not arrive before the frag_table timeout value of 1 second expires. |
| 01087655 |
On an Open Server gateway, "xpand: Failed to read Fan sensors" messages may appear in /var/log/messages file. |
| 00936087 |
Firewall daemon (FWD) crashes. |
| 01064688 |
IPS Bypass memory thresholds are not applied correctly. |
| 00932080 |
NAT does not work properly after ISP failover - when trying to get IP address from DHCP server, it is dropped on "message_info: Connection contains real IP of NATed address" |
| 01025497 |
cp_conf terminates unexpectedly with core dump file when running cp_conf lic add -f text. |
| 00938999 |
Mobile Access policy changes on UTM fail to apply. |
| 01084302 |
Application Control and IPS protection cause Firewall to crash when activating HTTP decoding. |
| 01092702 |
SmartUpdate package upload process terminates after 3 minutes with error in SmartUpdate GUI "Transfer of verification script failed."
'CUSTOM_SU_PROC_TIMEOUT' environment variable has been added. Configure this variable (in minutes) to set the timeout value to up to 60 minutes. |
| 01087845 |
System panic on IPSO 6.0.7. |
| Gaia |
| 00923108 |
Mounting an NFS disk does not work in Gaia.
Error: "wrong fs type, bad option, bad superblock on <IP address>:/usr/isos, missing codepage or other error". |
| 00940782 |
If a Virtual IP address is not on the same subnet as the physical IP addresses, the route to the Virtual IP address may not appear in the routing table.
Workaround: manually define the route. |
| 01054033 |
When setting up a VTI VPN tunnel between clusters, doing "Get Interfaces" in SmartDashboard does not work. Also, the VTI does not show when running the command ifconfig -a. |
| 01057221 |
When adding or configuring a cron job with a long command that has many spaces, the command is truncated. |
| 00990162 |
Gaia stops responding when many MCVR addresses (Monitored Ciruits) are added to VRRP. |
01080987
|
When running the "show configuration" command in clish, both clish and WebUI crash with a "Segmentation Fault" error. |
| 01119560 |
Excessive memory utilization by /bin/confd daemon on Gaia when SNMP monitoring is enabled. Refer to sk91081. |
| 00262101 |
Disconnecting interfaces on the same subnet on two VRRP cluster member gateways causes both members to become master. |
| 01081425 |
The "show arp dynamic all" command does not show all entries. |
| 00956369 |
User cannot filter which message are sent from syslogd to firewall syslog. |
| 00936665 |
Cannot debug SNMP on Gaia using the TDERROR environment variable - the snmpd process fails. |
| 01071820 |
"set lcd none" command does not disable the LCD panel on the appliance. |
01070884,
01179220,
01190956;
01084061,
01084188,
01084187,
01203721 |
Backup/Restore function in Gaia Portal and Clish worked only for files up to 2GB in size. Refer to sk88145. |
01247678,
01248259,
01248260,
01248261 |
Gaia IP appliance crash related to ixgbe portwell driver. |
| Gaia Dynamic Routing |
01060163
|
In VSLS cluster, when the member that is configured to run if active is rebooted, it does not synchronize OSPF routes from the current active member.
Log shows:
cpcl_slave_init(...): instance 2 connection waiting for select to return
cpcl_should_send() returns -4 |
| 00957124 |
A Policy Based Routing Action Table with a Normal Nexthop Type IP address is not created properly. |
| 00923067 |
In Gaia, inactive routemaps cannot be deleted completely. Dynamic routing protocols retain the deleted routemap. |
| 01013754, 00934769 |
The clish "save configuration" command on Gaia does not save all the dynamic routing configuration data. Refer to sk85280. |
| 01084341 |
OSPF state is not synchronized to the Standby cluster member. |
| 01092707 |
Configuring multiple MCVR interfaces in VRRP on Gaia causes WebUI and clish to time out. |
| 01092667 |
When routed with OSPF MD5 authentication runs for a long time, the OSPF session gets restarted. |
| 01090376 |
When using OSPF with MD5 authentication, a failover to a member that came up after a reboot, can cause the OSPF session to restart. |
| SecurePlatform Dynamic Routing |
01069932
|
Some of the signals received by routed are printed with the wrong name in the routed trace file. |
00774951,
00261870,
00261872,
00261904,
00775263,
00867105,
01007541,
01068385 |
Enabling NTP on SecurePlatform OS causes OSPF adjacencies to break.
Refer to sk90365. |
| 01040548 |
The "show running" command in the Gated CLI configuration interface (router) shows "set ip nexthop" instead of "set ip next-hop" for a route-map. |
| 00937571 |
The SecurePlatform GateD routing daemon stops running when BGP is used with routemaps that match on interfaces. |
| 01039490 |
The GateD routing daemon on SecurePlatform consumes 100% CPU on a ClusterXL Standby member with PIM enabled. |
| SecurePlatform |
| 01072603 |
CPWMD version entries in /var/log/messages are logged too frequently on some appliances. |
| 01073740 |
Setting a cron job through clish prints out debug messages to /var/log/messages. |
| 01090028 |
Bond interface does not show the link state of its physical slave interfaces. |
| 01084325 |
Frequent hardware sensor alerts on Check Point 2012 appliances running SecurePlatform or Gaia. |
| 01076734 |
When the session lockout is enabled, after running the faillog -r command, users cannot be authenticated by the gateway. |
| SecurePlatform SNMP |
00901333
|
On SecurePlatform systems, the snmpwalk command does not always give full output for custom OIDs, because it was limited to 100 lines. Refer to sk71980.
|
| 00941815 |
When SNMP is used, these type of messages appear in /var/log/messages:
snmpd[PID]: unknown interface in /proc/net/ipv6_route
snmpd[PID]: /proc/net/ipv6_route data format error (5!=8), line == ... |
00909497
|
The SNMPD daemon prints "snmpd[PID]: ioctl 35123 returned -1" error on interface names longer than 8 symbols. Refer to sk72240. |
| 00901703 |
An snmpwalk on OID 1.3.6.1.4.1.2620.1.6.7.5.1.7 (multiProcInterrupts) returns a zero value for the number of interrupts per second if the total number of interrupts in /proc/stat exceeds a 32-bit value. |
| 01080526 |
Changing an interface IP address crashes snmpd. |
| 00937554 |
Running an SNMP query for RIP SNMP OIDs 1.3.6.1.2.1.23 after RIP is disabled causes the GateD routing daemon to stop running. |
| 01091072 |
snmpwalk does not show all the entries in the Check Point tree. |
| 00951914 |
SecurePlatform does not support HP NC522SFP Dual Port 10GbE Gigabit Server Adapters. |
| 01057118 |
On 32-bit SecurePlatform the SNMP OID .1.3.6.1.2.1.31.1.1.1.6 (ifHCInOctets) shows a truncated value when traffic exceeds 136 MB. |
| Security Management |
| 00897954 |
The set2xml parser leads to crashes when "_l-" substring exists in user-defined object names. Example: some_name_I-AG.
|
01042427,
00944256, 00944154,
01045126 |
Memory leak in FWM daemon. |
00975073,
00983111,
00983800
|
Policy installation fails with error "Operation failed. Install/uninstall has been improperly terminated" instead of showing a proper error message and FWM daemon crashes when a NAT contains multiple Source / Destination objects.
Refer to sk103918.
|
| 01054133 |
In a Multi-Domain Security Management environment, options for High Availability are not available in SmartDashboard. |
| 01076084 |
IPv6 traffic is dropped on Anti-Spoofing after changes to the IPv6 spoofing configuration. |
| 01076096 |
Scheduled IPS update does not work on R75.46 running on Windows. |
| 00963167 |
Corrupted cp.license file on a Security Gateway causes FWM to crash on the Security Management Server. |
| 01025611 |
Memory leak in FWD daemon. |
| 01074771 |
Policy installation fails on Security Gateways with Mobile Access Blade enabled. |
| 01094157 |
Wrong Registration Key is sent in e-mail through ICA tool.
Example:
Valid Registration Key: 60078-vevvj8
Wrong Registration Key: CN=user one+OU=users,O=gr7540,O=MGMT..f6wyjb 92161-v7rwcy |
| Multi-Domain Security Management |
01073807
|
CMA sync fails with the warning message "Database has been changed since synchronization start". Refer to sk88260. |
| 01076616 |
The FWM daemon on the CMA becomes unstable during a Database Revision because the Value of CurrentMSP in the registry is corrupt. |
| 00912430 |
Memory leak in FWM daemon on Domain Management Server. |
| 01044637 |
After restarting the Secondary CMA, Domain Management Servers are out of sync, even though no changes occurred. |
01062126,
00944214 |
In a Provider-1 environment, security policy installation fails, when it includes VPN rules. Errors:
do_cklic_ex: Activated with signature: null
fw: no license for 'ca'
Rule xx: no license for encryption. (where xx is your policy rule number) |
| 00950201 |
Memory leak in FWM daemon.
|
| 01060351 |
mds_exclude.dat option does not work on mds_backup on R75.45 Provider-1 - definitions in mds_exclude.dat file is ignored. |
| 01002221 |
Configuration fails when adding external interface with a name that is longer than 8 characters. |
| 01051597 |
Renaming policy on CMA results in error "Global object modification is prohibited". |
| SmartConsole |
| 01062616 |
Unicode characters might display incorrectly in the LDAP users tree in SmartDashboard:
- If enable the "Unicode support" option in "LDAP account unit", all fields correct but "branch" field is corrupted
- If clear the "Unicode support" option in "LDAP account unit", the "branch" field is displayed correctly, but the "Login name", "Last name", "full name" and some other fields are corrupted.
|
| 00915226 |
Importing certificate for Mobile Access portal causes SmartDashboard to hang. |
| 00939069 |
IP Pool NAT settings disappear (checkbox is not selected and the range is removed) in the IP Pool NAT tab on an interface in a cluster topology. |
| 01057417 |
User cannot add a new 'group with exclusion' from the 'Add object' menu into NAT rulebase. |
| 01047673 |
After a policy is installed, a popup window appears, asking to "save policy", even though the policy was saved before its installation. |
| 00938796 |
SmartDashboard crashes when changing from 'Read-only' to 'Read/write' mode. |
| 00972548 |
In SmartDashboard 'Read-only' mode, scrolling down the network objects list in the User Properties window does not work. |
| 00968991 |
SmartDashboard freezes when user tries to modify an object. |
| 00938334 |
ROBO Cluster members do not resolve in SmartView Tracker.
Note: The fix is not supported for Windows platforms. |
| 01055324 |
After upgrading from R75.30 to R75.40, SmartView Monitor shows that all Security Gateways are in the 'Attention Needed' state. |
| 01087743 |
Carriage Return characters in Edge configuration script are deleted during an upgrade. |
| 01081844 |
When choosing a group in the source/dest/service field of a rule, policy verification does not recognize identical rules as duplicates and some rules will have overlapping objects. |
| 01081392 |
Administrators with full permissions see masked users with an asterisk in SmartView Tracker. |
| 01039951 |
Anti-Spam tab in SmartDasboard does not recognize Security Gateway object with enabled Anti-Spam. |
| 00931121 |
SmartWorkflow shows UTC time instead of the local time. |
| 01059319 |
Deleting an object in SmartDashboard clears the contents of the Windows clipboard. |
| 01059502 |
SmartLSM gateways are not shown correctly in SmartView Tracker. |
| 01002306 |
Configuring IP Pool NAT triggers a "IP Pool NAT is required to be defined on at least one interface" error pop-up on SmartDashboard. |
| 01085350 |
When "cpstart -b" fails on boot, it does not display the error message on the console.
|
| 01083350 |
The migrate folder in $FWDIR/tmp directory does not get deleted at the end of an advanced upgrade. |
| Management Portal / WebUI |
01062364
|
After logging into a system with TACACS+ credentials, privilege elevation operations through clish or WebUI cause the system to freeze. |
| SmartReporter |
| 00940898 |
PDF generated by Smart Reporter is corrupted. PDF reports shows an error "There was an error opening this document. The root object is missing or invalid". |
| 01014254 |
SmartReporter does not show all 50 users, when generating 'Top 50 Users' report. |
| 01042436 |
Changes are not saved correctly for specified custormers in the SmartReporter Input tab. |
| 00923904 |
Selecting *.MHT report option generates an *.HTML format report instead. |
| 01056289 |
Problems occur in an environment with many Customer Management Add-ons (CMAs), if the Multi-Domain Server is rebooted during a SmartReporter consolidation session. All of the CMAs change from "processing logs" to "Tying to connect". |
| 01071053 |
SmartReporter does not include logs from SAM rules when generating reports. |
| SmartEvent |
| 00893937 |
Time setting in Database Maintenance Settings is displayed incorrectly: Time of Action 2:00 AM is displayed as AM 00:02. and 24:10 is displayed as 10:24 |
| 00911162 |
"An unexpected error occurred. No write permissions for object: OBJ_4DB1B12E_5524_4F28_8CFE_879D4171C39A of type: CSchedItem (File: .\DBMaintenanceBridge.cpp Line: 804" error shows, when trying to change settings in SmartEvent GUI. |
| 00819588 |
Missing filter for confidence in SmartEvent user defined policy. |
| 00917364 |
Mail messages from SmartEvent automatic reaction show incorrect time. |
| 01060840 |
In R75.40 SmartEvent, cannot view content of an email for a DLP event (the 'Show Email' icon does not work) because of mismatch between SmartEvent and Security Management release numbers.
|
| 01045219 |
Cannot launch SmartEvent from SmartDashboard receiving an authentication failure message and the cpsemd process crash. |
| 01079792 |
SmartEvent fails to send E-mail alert for IP sweeps events when the event is configured for Automatic Reaction.
The $RTDIR/log/cpsemd.elg file shows:
CEventParser::_readFile: failed to read from /opt/CPrt-R71/tmp/eventDetails3.xml CEventParser::GetMhtForMail: Faild to create html
CInternalMailCommand::Execute: Event has no data |
| 01080432 |
Russian user names show up corrupted. |
| SmartProvisioning |
00920712
|
SmartProvisioning hangs during search. |
| 01056773 |
LSMcli command ModifyROBOInterface VPN1Edge fails with 'Validation error in field..' error, when used with these switches: Hide NAT, interface mode, DHCP. |
| 00917252 |
SmartProvisioning can crash in rare cases when running Update Selected Corporate Office Gateway on cluster object. |
| Mobile Access |
| 00923887 |
If a large PDF file is sent as application/octet-stream with many regular ASCII characters in the beginning, it will not be downloaded and 0 size file will be created. |
| 01054103 |
If URL link translation is used and a JavaScript page contains src="//:" an empty request is sent to the Security Gateway. |
01054341
|
If a user logs out inside of a Web application and is directed to a login page, SSO might use the default credentials instead of the user's credentials. |
| 01054343 |
If SSO is enabled, Web applications with complex login pages load slowly. |
| 00967218 |
The Mobile Access login page is unstable when connecting from a Windows Phone 7.5 browser. |
| 01028151 |
Cannot use Java Script (for example, document.body.style.background ="url(../test.jpg)";) to set the background image for internal sites accessed through the Mobile Access Portal. |
| 01068161 |
ActiveSync fails when LDAP server uses UPN as a username.
The following error can be found in httpd.log:
[APACHE] [CVPN_ERROR] Cvpn::ActiveSyncHandler::isConfForSameUser: The usernames are different: from conf (user1@company.com) from user (user1) |
| 01054332 |
After a user logs out from a Web application, the FWSSO does not use the stored credentials for a repeat connection for the same user.
The problem is caused by authorization cache hit for login page, and credential are not stored in this cache. |
| 01073383 |
Custom certificate parsing is not applied for the legacy authentication scheme. |
| 01076131 |
httponly cookies are not forwarded correctly during NTLM negotiations. |
| 01081092 |
Web Intelligence policy fails to load.
Error in httpd.log: [emerg] WIConnection::init. ERROR! install_policy failed |
00871249,
00897790,
00937707,
00871307,
01087345,
01069328,
01087308,
00886432,
01087344 |
When using an ActiveSync app on an Android phone or an iPhone, multiple sessions could be established for each user. As a result, available licenses are exhausted on Security Gateway, which causes sporadic updates to e-mail and random losses of connectivity. Refer to sk68120. |
| 01071535 |
Cannot use FileShare in Mobile Access portal if the AD password contains a comma. For example: "test,123". |
| IPS |
00906619
|
IPS Exception does not work for non-compliant HTTP - traffic is dropped.
|
| 00938213 |
Files cannot be downloaded from a web server object that has the IPS header spoofing protection enabled. The download starts, then stops without showing any progress and never completes. |
| 00941310 |
On IPSO, IPS Bypass is not implemented when the CPU load passes the configured threshold. |
| 01022363 |
After upgrading to R75.40, a number of IPS profiles on the Domain Management servers changed from Detect to Prevent. |
| 01056665 |
IPS logs show a host IP address instead of the host name. |
00937766
|
'sd_global_white_list_check: fwx_get_original_conn() failed' error appeared repeatedly in /var/log/messages file. Refer to sk88280. |
| Identity Awareness |
00938409,
01264259,
00938722,
01052881,
00974896,
01049256,
01200696,
01256842 |
PDP daemon crashes with core dumps unexpectedly. |
01051749,
01064455,
01200715,
01061648,
01069916,
01264298,
01260090,
01061650,
01064691 |
PDP Security Gateway updates the identity role on the PEP Security Gateway only when the TTL is not equal to zero. |
| 01040052 |
Enhancement: Configuration option is added for timeout value in user/password login via Captive Portal. |
| 01048697 |
The Terminal Server Agent uses alternative UPN (if applicable), while the Identity Awareness agent uses the user domain name to identify the same user and the same domain in logs. |
| 01015320 |
Enhancement: You can configure AD Query to ignore login events from users that log in to a different domain.
To configure this, in GuiDBEdit Tool, go to Table > Network Objects > network_objects > Management Server object - then in the lower pane, go to "ad_query_profile" > "ignore_different_domains".
Set the value of ignore_different_domains attribute to "true". Save all changes.
|
| 00939493 |
Captive Portal language customization does not work. The necessary field does not exist in /opt/CPNacPortal/phpincs/view/html/Authentication.php by default. |
| 01065724 |
When modifying customAgent.msi using cpmsi_tools, the msi does not update the registry. |
| Anti-Malware |
| 00940647, 00974903 |
Anti-Malware engine blocks POP3 message download. The in.emaild.pop3 and in.emaild.smtp processes crash.
|
| Endpoint Security on Demand |
00909605
|
Endpoint Security on Demand updates fail with error: "Failed module reports that local application ended during handshake". |
| Smart-1 |
01041691
|
Cannot use 'Backup' or 'Scheduled Backup' to back up to an FTP server from the Smart-1 WebUI, receiving error "GENERAL_ERROR". |
| SmartLog Index Server |
01054296
|
The FWM daemon crashes, because the SmartLog is not supported on Solaris Security Management. Refer to sk86585. |
| ClusterXL |
| 01081271 |
When VMAC is configured on 21400 series appliances, the traffic sent to Non Pivot member is dropped.
|
| 01087692 |
Full Sync fails after reboot. |
01079289,
01103133,
01081270,
01086900,
01095303,
01081271,
01089476,
01081272,
01101130 |
Non-Pivot cluster member on 21400 appliances drops the packets without any log when VMAC is enabled. Refer to sk89321. |
| SecureXL |
| 00259925 |
Memory leak in asynchronous (SecureXL) IPSO appliances. |
01088382,
01088433,
01088434 |
- SecureXL does not start on the Backup member of VRRP cluster after reboot.
- Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 4 - "SecureXL does not start on the Backup member of VRRP cluster after reboot"). |
| IPsec VPN |
01064508
|
Cannot configure a timeout for the Security Gateway to lease an Office Mode IP address from a DHCP server - Office Mode DHCP request timeout is hard-coded to 5 seconds. |
| 01089882 |
VPND daemon crashes when Mobile Access clients authenticate using long certificates. |
| Mobile VPN Client |
01052809
|
Remote access VPN users cannot use UPN certificates for authentication. |
| SSL Network Extender |
| 00901633 |
On Windows client machines, after SSL Network Extender tunnel establishment, the DNS suffix gets truncated.
|
| 00950862 |
DNS configuration on Windows 7 computers does not work properly for 3G modems that use a legacy driver (not implemented as Microsoft WWI device). |
| 00748457 |
After connecting with SSL Network Extender to a VPN domain from a Windows 7 client, and then disconnecting, inbound connectivity to one or more NICs is lost. Microsoft's IP stack is dropping the inbound packet because it is viewed as "not locally destined", even though there is a LAN interface with that IP address bound to it. |
| 01090849 |
SSL Network Extender fails to connect when using an authorization certificate with a UPN. |
| VPN |
00924424
|
Poor connection to the LDAP server results in CVPND process crash. |
00951684
|
After a Security Gateway reboot, policy installation, or VPND daemon restart, the vpnd process runs in debug mode. Refer to sk86620. |
| 01074564 |
MPLS (trusted connection) configuration does not always work on a system with CoreXL enabled: the packet is dropped with "...vpn_encrypt_chain Reason: No error;" message in kernel debug. |
| 00260574 |
VPN negotiation fails for some NAT-T interfaces, getting the error "PAYLOAD-MALFORMED" in $FWDIR/log/ike.elg log file.
A configurable mechanism now limits the size of IKE packets for Security Gateways with a large number of external interfaces.
|
| 01044197 |
Vulnerability to Downgrade Attack during SSL negotiations (CVE-2008-7270). |
| 00895953 |
Insufficient memory allocation when supporting a large number of Security Gateways.
Kernel errors:;
fw_salloc: fwioctl: fwbintabreplace: failed to allocate 131680 bytes
FW-1: Warning: fw_kmalloc: unable to allocate 131672 bytes for fwioctl: fwbintabreplace
fwioctl: fwbintabreplace: fw_kmalloc(131664) failed
fwioctl: cmd=40e87ad4 data=f2e73580 |
00937971
|
When using CoreXL and VPN over VPN (encrypting an already encrypted VPN packet), a gateway in a Site-to-Site configuration will fail to register a valid SA and drop the encrypted packets with "no valid SA" error. |
| 01055167 |
Changes to the shared secret of a VPN community are not saved. |
00821417, 00827465, 00832833, 00851996, 00944368, 01056623, 01057165, 01110932, 01573964, 01574712
|
Security Gateway will stop maintaining new IKE negotiations if it fails to resolve VPN peers (the relevant negotiations for peers that were not resolved are not removed from the internal data structure, which causes the data structure to get full and not accept new negotiation to process).
|
| 00954294 |
Issues occur when handling remote access connections from a user who is in many user groups. |
00922603,
01056597 |
Reauthentication timeout interval for Remote Access clients is limited to one day. |
| 00943687 |
Changing VPN capacity optimization options does not change the corresponding kernel tables size (ike2esp, peer2ike, ike2peer) |
| 00905443 |
CoreXL drops 'in clear' traffic from a trusted interface with "Clear text packet should be encrypted" message. |
| 01091769 |
Incorrect error level messages shown in the $FWDIR/log/vpnd.elg log file.
Example:
cptls_Validation::CheckRevocation_cb: vrc: 0, elevel: 2005845172
cptls_validation_cb: called. validation rc: 0, error level: 2005845172
|
| 01088262 |
Large remote access community topologies cause a kernel memory leak. |
| 01081704 |
If link selection "statically NATed IP" is enabled, UDP traffic sent to the IP address of the Security Gateway is dropped with message: "...vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet;" in kernel debug. |
| 01057165 |
Memory leak in IKE negotiation. |
| 01091750 |
Cannot install policy when there are more than 255 VPN communities defined.
Error: "The Community idX has an ID higher than 255 (256). Please change the value of the "ID" attribute in this community, possible value could be anything between 1 to 255" |
| 01086058 |
When CoreXL is enabled, multiple duplicates of the log message "disconnected from gateway" appear. |
| 00764349 |
Windows L2TP client disconnects after 1 hour. |
| VSX |
00661732
|
Missing entries in the Check Point MIB file in the VSX Appliance for snmpwalk3 172.24.139.115 svn command.
|
| 01004032 |
When adding over 32 warp interfaces in VSX, "Virtual System interface count exceeds 64" error shows. |
| 00943793 |
Interface sorting for VSX cluster topology does not work in SmartDashboard - nothing is displayed. |
Visit our 