Skip to main content

CHKP000 - Failed to Connect to Check Point Gateway

Agent error code #CHKP000 indicates that the Knocknoc agent could not open a network connection to the Check Point gateway's Identity Awareness Web API. The connection failed before any TLS handshake or authentication took place.

This is a network-level failure, distinct from a timeout (#CHKP001, where the path is reachable but the gateway does not respond in time) and from a TLS error (#CHKP002, where the connection opens but the certificate is not trusted).

Common causes include:

  • The Gateway Hostname configured on the Knoc is misspelled or does not resolve in DNS
  • The agent host has no network route to the gateway, or a firewall between them is dropping the connection
  • The Identity Awareness Web API is published on a non-standard port that was not included in the hostname (for example gw.example.com:4434)
  • The gateway is powered off, or its portal service is not running

Steps to Resolve

Confirm the Gateway Hostname

  1. In the Knocknoc admin interface, open the connection configuration for the affected Check Point Knoc
  2. Check the Gateway Hostname value. It should be the hostname or IP of the gateway serving the Identity Awareness Web API, optionally with :port
  3. For an HA cluster, confirm it points at the cluster VIP, not an individual member

For the full setup, see the Check Point setup guide.

Test Connectivity from the Agent Host

  1. From the host running the Knocknoc agent, confirm DNS resolves: nslookup gw.example.com
  2. Confirm the port is open: nc -vz gw.example.com 443
  3. If either fails, the problem is in DNS, routing, or a firewall on the path, not in Knocknoc

Check the Network Path

  1. Confirm no firewall between the agent and the gateway is blocking outbound HTTPS
  2. If the agent egresses through a NAT, proxy, or jump host, confirm that path reaches the gateway
Back to top