http://www.cpwiki.net/index.php?action=history&feed=atom&title=Check_point_state_sync_interface_problemCheck point state sync interface problem - Revision history2026-04-29T09:45:48ZRevision history for this page on the wikiMediaWiki 1.21.10http://www.cpwiki.net/index.php?title=Check_point_state_sync_interface_problem&diff=25&oldid=prevNighthawk: Pushed from Themanclub.2013-02-26T00:21:14Z<p>Pushed from Themanclub.</p>
<p><b>New page</b></p><div>'''Problem description'''<br />
<br />
State table sync was not working between firewall-1 and firewall-2 after upgrading from R65 to R70.1. Fw ctl pstat showed sync packets sent, but zero received on both firewalls. The aggregate link was setup properly in IPSO and the firewalls could ping each other’s sync interfaces. The real problem symptom was that the firewall didn’t recognize any of its interfaces as being sync interfaces as seen below. <br />
<br />
Also, the configuration of the firewalls was double checked by Mark Stapp and Check Point support. All firewall configurations appeared to be correct.<br />
<br />
'''Symptoms'''<br />
<br />
1) Local cpha shows down<br />
<br />
Example:<br />
firewall-1[admin]# '''cphaprob stat'''<br />
Cluster Mode: Sync only (IPSO cluster)<br />
Number Unique Address Firewall State (*)<br />
2 (local) none Down<br />
<br />
2) Cpha interface listing show no sync interfaces configured. However; state sync is enabled properly on the firewall cluster object in the topology and 3rd party configuration options.<br />
<br />
Example:<br />
firewall-2[admin]# cphaprob -a if<br />
eth-s4p1c0 non sync(non secured)<br />
eth-s1p1c0 non sync(non secured)<br />
eth-s1p2c0 non sync(non secured)<br />
ae1c0 non sync(non secured)<br><br />
Warning: Sync will not function since there aren't any sync(secured) interfaces<br><br />
Virtual cluster interfaces: 2<br><br />
eth-s1p1c0 192.168.100.12<br />
eth-s1p2c0 192.168.254.11<br />
<br />
Solution: Some of the steps from the SK39047 linked below were used.<br />
<br />
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39047&js_peid=P-114a7bc3b09-10006&partition=General&product=Security<br />
<br />
What I ended up doing on firewall-1 was…<br />
<br />
1) cpconfig > option 7 > Disable cluster membership for this gateway<br />
2) cpconfig > option 7 > Enable cluster membership for this gateway<br />
3) reboot<br />
<br />
Afterwards, I had a sync interface on firewall-1. I plan to perform the same function on firewall-2. However, a disruptive failover from firewall-2 to firewall-1 will be required. Since state sync is broken, the failover will severe any statefull connections traversing the upper-rail.<br />
<br />
After the procedure above was run…<br />
<br />
firewall-1[admin]# cphaprob -a if<br />
<br />
eth-s1p1c0 non sync(non secured)<br />
eth-s1p2c0 non sync(non secured)<br />
eth-s4p1c0 non sync(non secured)<br />
ae1c0 sync(secured), multicast <<< hurray!!!<br />
<br />
Virtual cluster interfaces: 2<br />
<br />
eth-s1p1c0 192.168.100.12<br />
eth-s1p2c0 192.168.254.11<br />
<br />
firewall-1[admin]# cphaprob stat<br />
<br />
Cluster Mode: Sync only (IPSO cluster)<br />
<br />
Number Unique Address Firewall State (*)<br />
<br />
1 (local) 1.1.1.1 Active <<<< whoopee!!!<br />
<br />
[[category:check point]]</div>Nighthawk