In case anyone's interested. A file by file comparison of live & dead management servers showed the answer to the problem below was the undocumented 30byte binary file: $FWDIR/conf/_props.db
A good one looks in a text editor like: 1IsDirty A sick one: 0 IsDirty Curious text, no? But restore that one file from backup; from a clean install, or delete it & when it gets recreated at cpstart all is good as new. Hope this is of help to someone, Ian -- [EMAIL PROTECTED] Quoting Ian M <[EMAIL PROTECTED]>: > Has anyone come across this? I posted the same a few months ago, but > had no > replies. After a month of working with the supplier, with progressively > more > breaking, and unable to find an answer the resolution was to blow all > away; > reinstall OS & NG-FP2; and rebuild policy from scratch. > > Catalogue of both, with events common to both incidents below. Being an > operational unit there weren't many more changes bar policy-tweaks, > though any > other info is available. > > 1st time > -Platform: > Nokia IP330, IPSO 3.5-FCS6, FW/VPN-1 NG-FP2 > Management & fw modules on same box. > > -Events: > Number of licence changes. 1st EVAL -> 2nd EVAL + VFM-25 -> 3rd EVAL + > VFM- > 25. Reload, then... > > -Symptoms: > All processes seem to come up, including fwm, last policy loads & > traffic > passes, but nothing binds to tcp/18190 (CPMI). Without that no > management > client can connect, and fw functions, but no changes can be made, logs > monitored > etc. > > [...arduous investigation process ... box wipe & rebuild...] > > 2nd time > -Platform: > Nokia IP330, IPSO 3.5-FCS7, FW/VPN-1 NG-FP2 > Same as above but with fresh IPSO. > > -Events: > All works happily for 2 months. Same (new) licence throughout, VIG-25. > Recreate this on CP usercenter & apply to fix sk11228. 1 week later > reload > and... > > -Symptoms: > Exactly same as before. fwm loads, but does not bind to tcp/18190. > Notice > that 'fw kill fwm' complains about a wrong pid, so check $FWDIR/tmp and > all 'x.pid' files have the time of the last cpstart, except fwm.pid, > with the > date of the last cpstart prior to the new licence being applied. > Deleting this > & 'cpstop;cpstart' has no effect. > > Given that Checkpoint have created a product, the mangement of which > they > _ONLY_ support through CPMI (gone the days of text editors?) this is a > pretty > important port. Any help would be v.v.greatly appreciated. > > > Thanks, > Ian > -- > [EMAIL PROTECTED] > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
