VAP crash when handling VoIP (SIP, H323) traffic

Article Id: 167885
Status: Published
Updated On: 13-05-2017 10:57
Legacy Id: TECH243969
Products:
XOS
Issue/Introduction:

Check Point firewall may crash when passing VoIP traffic

The firewall, i.e. Check Point VSX R67 handles VoIP traffic (SIP, h323). At the time when VoIP traffic passes through the firewall, following crash might be observed:

vsx_1 cbsoopsd[2081]: [E] Using defaults from ksymoops -t elf32-i386 -a i386  
vsx_1 cbsoopsd[2081]: [E] EIP:    [<ee929810>]  
vsx_1 cbsoopsd[2081]: [E] EFLAGS: 00000202   
vsx_1 cbsoopsd[2081]: [E] eax: 00000004   ebx: 00000004   ecx: 80527f34   edx: 0000568c  
vsx_1 cbsoopsd[2081]: [E] esi: ef1dbfd0   edi: e3f251c8   esp: ee929d43  
vsx_1 cbsoopsd[2081]: [E] Call Trace: [<ee929d43>]  
vsx_1 cbsoopsd[2081]: [E] [<ee92d312>]  
vsx_1 cbsoopsd[2081]: [E] [<ee8e7fc7>]  
vsx_1 cbsoopsd[2081]: [E] [<ee8e7f90>]  
vsx_1 cbsoopsd[2081]: [E] Code: 90 90 90 90 90 90 90 <8b> 48 04 85   
vsx_1 cbsoopsd[2081]: [E]   
vsx_1 cbsoopsd[2081]: [E] >>EIP; ee929810 <[fwmod]cpas_tcp_timer_cancel_do+0/30>   <=====  
vsx_1 cbsoopsd[2081]: [E] Trace; ee929d43 <[fwmod]cpas_tcp_timer_cb+63/90>  
vsx_1 cbsoopsd[2081]: [E] Trace; ee92d312 <[fwmod]cpas_timer+12/30>  
vsx_1 cbsoopsd[2081]: [E] Trace; ee8e7fc7 <[fwmod]cptim_timer_expired+37/100>  
vsx_1 cbsoopsd[2081]: [E] Trace; ee8e7f90 <[fwmod]cptim_timer_expired+0/100>  
vsx_1 cbsoopsd[2081]: [E] Code;  ee929809 <[fwmod]cpas_tcp_output_ex+14c9/14d0>  
vsx_1 cbsoopsd[2081]: [E] 00000000 <_EIP>:  
vsx_1 cbsoopsd[2081]: [E] Code;  ee929809 <[fwmod]cpas_tcp_output_ex+14c9/14d0>  
vsx_1 cbsoopsd[2081]: [E]    0:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980a <[fwmod]cpas_tcp_output_ex+14ca/14d0>  
vsx_1 cbsoopsd[2081]: [E]    1:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980b <[fwmod]cpas_tcp_output_ex+14cb/14d0>  
vsx_1 cbsoopsd[2081]: [E]    2:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980c <[fwmod]cpas_tcp_output_ex+14cc/14d0>  
vsx_1 cbsoopsd[2081]: [E]    3:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980d <[fwmod]cpas_tcp_output_ex+14cd/14d0>  
vsx_1 cbsoopsd[2081]: [E]    4:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980e <[fwmod]cpas_tcp_output_ex+14ce/14d0>  
vsx_1 cbsoopsd[2081]: [E]    5:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee92980f <[fwmod]cpas_tcp_output_ex+14cf/14d0>  
vsx_1 cbsoopsd[2081]: [E]    6:   90                        nop      
vsx_1 cbsoopsd[2081]: [E] Code;  ee929810 <[fwmod]cpas_tcp_timer_cancel_do+0/30>   <=====  
vsx_1 cbsoopsd[2081]: [E]    7:   8b 48 04                  mov    0x4(6.186156e+307ax),6.743291e-317cx   <=====  
vsx_1 cbsoopsd[2081]: [E] Code;  ee929813 <[fwmod]cpas_tcp_timer_cancel_do+3/30>  
vsx_1 cbsoopsd[2081]: [E]    a:   85 00                     test   6.186156e+307ax,(6.743291e-317ax) 

Cause:

This is a known software issue in Check Point Active Streaming (CPAS). Please refer to below referenced SK entries for further details.

Resolution:

There are two entries in the Check Point SecureKnowledge database that are related to this type of crash. Please review these articles and contact Check Point support for further information.

VSX NGX R67 gateway crashes due to CPAS with 'Oops', and 'EIP is at cpas_tcp_timer_cancel_do'

Solution ID: sk67441
Product: VSX
Version: NGX R67, NGX R67.10
OS: SecurePlatform 2.6
Platform / Model: Intel/PC, VSX-1
Date Created: 16-Feb-2012
Last Modified: 22-Feb-2012

Symptoms

VSX NGX R67 gateway crashes with 'Oops', and 'EIP is at cpas_tcp_timer_cancel_do'

Cause

SecureXL sends a new notification for a connection that already exists in FW Connections Table. A function that writes the information into FW Connections Table corrupts a pointer, which is used by CPAS. As a result, CPAS tries to access the memory outside the allowed limit. This causes a Page Fault condition, and Linux kernel crashes.

Solution

Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.



Security Gateway restarts after initialization of VoIP session

Solution ID: sk34127
Product: Security Gateway, SecureXL
Version: NGX R60, NGX R61, NGX R62, NGX R65
OS: SecurePlatform
Date Created: 06-Jan-2008
Last Modified: 16-Sep-2008


Symptoms

The Security Gateway restarts after intialization of the VoIP session when SecureXL is enabled.
"SEVFEFW01 kernel: drv_write_lock: already locked. name = CI, current = cphwd_api_get_conn_accounting, previous = cphwd_api_get_conn_accounting, level=0" error message in the /var/log/messages file.

Solution
To resolve the problem, perform the following on the Security Gateway:

Add the line cphwd_handle_link_collision=1 to the $FWDIR/modules/fwkern.conf file.


Add the line sim_resolve_link_collision=1 to the $PPKDIR/boot/modules/simkern.conf file.


Restart the Security Gateway.


Workaround

N/A