Add Device Problem: Can't add KD lab Checkpoint MDS device to indeni

Trying to add the KD lab Multi-Domain Server @ to my local indeni server:

Failing with: “Interrogation failed - Indeni attempted to determine the device type but failed. We couldn not determine the operationg system’s details…”

I’ve added several other Checkpoint devices, including two “regular” non-MDS management servers. I can SSH into the MDS with the same credentials as the credential set I’m using for the other Checkpoint servers. Based on the wiki docs, and based on the output from mdsstat, I think this is the “main” MDS server:

[Expert@lab-CP-MGMT-MDM1:0]# COLUMNS=110 && export COLUMNS && mdsstat
|                                         Processes status checking                                          |
| Type| Name                                 | IP address      | FWM        | FWD      | CPD      | CPCA     |
| MDS |                   -                  |  | up 5808    | down     | down     | down     |
| CMA |lab-CP-MGMT-MDM-VS1_Management_Server |  | up 5743    | up 5656  | up 5680  | up 7751  |
| CMA |lab-CP-MGMT-MDM-VS2_Management_Server |  | up 5674    | up 5790  | up 5385  | up 7701  |
| Total Domain Management Servers checked: 2     2 up   0 down                                               |
| Tip: Run mdsstat -h for legend                                                                             |

Here is a screen of the error:

I tried to add the device to
The interrogation command that is running is:

INFO  [2018-04-01 12:58:32,702] com.indeni.collector.actors.CommandActor: Executor on receive
execute command chkp-vendor-interrogation
with operation Some(OperationRequest(SshOperation('${nice-path} -n 15
cat /etc/cp-release ; ${nice-path} -n 15 cpstat os ; ${nice-path} -n 15 asg stat'), 
chkp-vendor-interrogation,Map(),Map(ssh -> true, linux-based -> true, https -> true, 
ip-address ->, nice-path -> /bin/nice)))

It’s timing out while waiting for 30 seconds for the output of “cpstat os”

[Expert@lab-CP-MGMT-MDM1:0]# time  cpstat os

Failed to establish session with AMON server at

real	0m35.392s
user	0m0.209s
sys	0m0.027s
1 Like

Very helpful, Shouky, thank you. I was able to reproduce on my server, see the same in the logs, and repro the command timeout on the MDS.

This isn’t making much sense to me. Johnathan clearly added specific MDS code back in 12/17. Those are the last commits to parsers/src/checkpoint/firewall/checkpoint-interrogation.ind, which is the script that appears to be failing. I’m assuming that this has worked in the past…?

I know so little about any of this stuff, but what I have seen in other MDS-specific scripts (e.g., parsers/src/checkpoint/management/cpca_client-lscert-mds.ind) is that, at least in that script, someone has prefaced ‘regular’ Checkpoint commands with a call to ‘mdsenv’, specifying the CMA. E.g., this works on the MDS in question:

[Expert@lab-CP-MGMT-MDM1:0]# mdsenv lab-CP-MGMT-MDM-VS1_Management_Server
[Expert@lab-CP-MGMT-MDM1:0]# cpstat os

Product Name:                  SVN Foundation
SVN Foundation Version String: R77.30
SVN Foundation Build Number:   990180695
SVN Foundation Status:         OK
OS Name:                       Gaia
OS Major Version:              2
OS Minor Version:              6
OS Build Number:               -
OS SP Major:                   -
OS SP Minor:                   -
OS Version Level:               
Appliance SN:                  
Appliance Name:                VMware Virtual Platform
Appliance Manufacture:         VMWare

That gives me a sortof clue, and I can debug this further, but (among other things) it would be especially nice to know if this is a system-wide bug, or somehow limited to this server.

@Shouky_Dan Do you know if we are seeing this problem with MDS in other environments? I don’t think I have access to any other MDS environments…

The problem that we solved in IKP-1087 was getting the following error from “cpstat os” :

fw_ipaddr: Unable to resolve ipaddr for pac-man

In that case the “cpstat os” command responds quickly, in this case the command is taking more than the 30 seconds that the command allows to get back a response.

Created IKP-1628