Difference between revisions of "Check point state sync interface problem"
(Pushed from Themanclub.) |
Latest revision as of 00:21, 26 February 2013
Problem description
State table sync was not working between firewall-1 and firewall-2 after upgrading from R65 to R70.1. Fw ctl pstat showed sync packets sent, but zero received on both firewalls. The aggregate link was setup properly in IPSO and the firewalls could ping each other’s sync interfaces. The real problem symptom was that the firewall didn’t recognize any of its interfaces as being sync interfaces as seen below.
Also, the configuration of the firewalls was double checked by Mark Stapp and Check Point support. All firewall configurations appeared to be correct.
Symptoms
1) Local cpha shows down
Example:
firewall-1[admin]# cphaprob stat Cluster Mode: Sync only (IPSO cluster) Number Unique Address Firewall State (*) 2 (local) none Down
2) Cpha interface listing show no sync interfaces configured. However; state sync is enabled properly on the firewall cluster object in the topology and 3rd party configuration options.
Example:
firewall-2[admin]# cphaprob -a if eth-s4p1c0 non sync(non secured) eth-s1p1c0 non sync(non secured) eth-s1p2c0 non sync(non secured) ae1c0 non sync(non secured)
Warning: Sync will not function since there aren't any sync(secured) interfaces
Virtual cluster interfaces: 2
eth-s1p1c0 192.168.100.12 eth-s1p2c0 192.168.254.11
Solution: Some of the steps from the SK39047 linked below were used.
What I ended up doing on firewall-1 was…
1) cpconfig > option 7 > Disable cluster membership for this gateway 2) cpconfig > option 7 > Enable cluster membership for this gateway 3) reboot
Afterwards, I had a sync interface on firewall-1. I plan to perform the same function on firewall-2. However, a disruptive failover from firewall-2 to firewall-1 will be required. Since state sync is broken, the failover will severe any statefull connections traversing the upper-rail.
After the procedure above was run…
firewall-1[admin]# cphaprob -a if
eth-s1p1c0 non sync(non secured) eth-s1p2c0 non sync(non secured) eth-s4p1c0 non sync(non secured) ae1c0 sync(secured), multicast <<< hurray!!!
Virtual cluster interfaces: 2
eth-s1p1c0 192.168.100.12 eth-s1p2c0 192.168.254.11
firewall-1[admin]# cphaprob stat
Cluster Mode: Sync only (IPSO cluster)
Number Unique Address Firewall State (*)
1 (local) 1.1.1.1 Active <<<< whoopee!!!