Cpha status / cphaprob stat down problem on one firewall only

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services

Problem Description

Symptom 1: cphaprob stat shows the partner firewall status is down on only one nodes of an HA pair.

Firewall #1 Firewall #2 
firewall1[admin]# cphaprob stat

Cluster Mode:   Sync only (IPSO cluster)

Number     Unique Address  Firewall State (*)

1 (local)  10.206.15.1     Active
2          10.206.15.2     Active

firewall2[admin]# cphaprob stat

Cluster Mode:   Sync only (IPSO cluster)

Number     Unique Address  Firewall State (*)

1          10.206.15.1     Down
2 (local)  10.206.15.2     Active

Symptom 2: sync packets are sent and received in on direction only as seen in the incrementing stats

Firewall #1 Firewall #2 
firewall1[admin]# fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}'
       Sync packets sent:
        total : 196731,
       Sync packets received:
        total : 17342

firewall1[admin]# fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}'
       Sync packets sent:
        total : 196819,
       Sync packets received:
        total : 17382

firewall2[admin]# fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}' 
       Sync packets sent:
        total : 970, 
       Sync packets received:
        total : 6, <<< not incrementing

firewall2[admin]# fw ctl pstat | grep -A 1 "Sync p" | awk '{print $1,$2,$3}' 
       Sync packets sent:
        total : 1050, 
       Sync packets received:
        total : 6,  <<< not incrementing


Root Cause

possible mismatch between sychonization broadcast/multicast modes

Firewall #1 Firewall #2 
firewall1[admin]# cphaprob -a if

eth1c0          non sync(non secured)
eth2c0          non sync(non secured)
eth4c0          sync(secured), multicast

firewall2[admin]# cphaprob -a if

eth1c0          non sync(non secured)
eth2c0          non sync(non secured)
eth4c0          sync(secured), broadcast


Solution:

Reset the sync mode on the firewall who's sync packets aren't being received successfully

firewall1 [admin]# cphaconf set_ccp broadcast

this should resolve the down status and sync sent / received issues

Firewall #1 Firewall #2 
firewall1[admin]# cphaprob stat

Cluster Mode:   Sync only (IPSO cluster)

Number     Unique Address  Firewall State (*)

1 (local)  10.206.15.1     Active
2          10.206.15.2     Active

firewall2[admin]# cphaprob stat

Cluster Mode:   Sync only (IPSO cluster)

Number     Unique Address  Firewall State (*)

1          10.206.15.1     Active
2 (local)  10.206.15.2     Active
Retrieved from "http://www.cpwiki.net/index.php?title=Cpha_status_/_cphaprob_stat_down_problem_on_one_firewall_only&oldid=28"