API readiness test FAILED. The server is down and unable to receive connections!

I was trying to export the firewall policy from one of the CMA’s on our R80.10 Multi-Domain Server using Check Point’s Show Package Tool (sk120342).

While running the command: [[email protected]:0]# $MDS_FWDIR/scripts/web_api_show_package.sh -d 192.10.20.30 I noticed that the script hang for a while and eventually returned the following error message: Script stopped running due to severe error!

So, as suggested in sk123863 I’ve verified and confirmed that the api service was running on the MDS, but it was unable to receive connections:

[[email protected]:0]# api status

API Settings:
---------------------
Accessibility:                      Require all granted
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   303
CPM       Started   5747      Check Point Security Management Server is running and ready
FWM       Started   12033
APACHE    Started   4448

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443

--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test FAILED. The server is down and unable to receive connections!

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[[email protected]:0]#

Restarting the api (# api stop;api start) did not resolve the issue and also the log collection (api status -s) did not revealed a potential root cause.

So after some further investigation on the MDS I noticed the .mgmt_cli directory within /home/admin which contains a known_hosts file with a single line:

[[email protected]:0]# pwd
/home/admin/.mgmt_cli
[[email protected]:0]# cat known_hosts
JUMP STREET GO WHY NO JOE COW SLIM FIRE DELTA FARM [email protected]:443
[[email protected]:0]#

As I suspected this to be an old/revoked fingerprint, I’ve deleted the file and restarted the api again which recreated the file with the actual/updated fingerprint. So, now the API started without any errors: Overall API Status: Started. API readiness test SUCCESSFUL. The server is up and ready to receive connections.

And last but not least, also the firewall policy exporting script works now and successfully completed in a matter of seconds!

[[email protected]:0]# /opt/CPsuite-R80/fw1/scripts/web_api_show_package.sh -d 192.10.20.30
Script finished running successfully!
Result file location: show_package-2021-03-15_21-43-36.tar.gz
[[email protected]:0]#

About Normen 20 Articles
Normen is a freelance senior network security engineer specialised in Check Point Technologies solutions. If you like his articles you can buy him an espresso here

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.