Difference between revisions of "Check point state sync interface problem"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Pushed from Themanclub.)
 

Latest revision as of 00:21, 26 February 2013

Problem description

State table sync was not working between firewall-1 and firewall-2 after upgrading from R65 to R70.1. Fw ctl pstat showed sync packets sent, but zero received on both firewalls. The aggregate link was setup properly in IPSO and the firewalls could ping each other’s sync interfaces. The real problem symptom was that the firewall didn’t recognize any of its interfaces as being sync interfaces as seen below.

Also, the configuration of the firewalls was double checked by Mark Stapp and Check Point support. All firewall configurations appeared to be correct.

Symptoms

1) Local cpha shows down

Example:

 firewall-1[admin]# cphaprob stat
 Cluster Mode:   Sync only (IPSO cluster)
 Number     Unique Address  Firewall State (*)
 2 (local)  none            Down

2) Cpha interface listing show no sync interfaces configured. However; state sync is enabled properly on the firewall cluster object in the topology and 3rd party configuration options.

Example:

 firewall-2[admin]# cphaprob -a if
 eth-s4p1c0      non sync(non secured)
 eth-s1p1c0      non sync(non secured)
 eth-s1p2c0      non sync(non secured)
 ae1c0           non sync(non secured)
Warning: Sync will not function since there aren't any sync(secured) interfaces
Virtual cluster interfaces: 2
eth-s1p1c0 192.168.100.12 eth-s1p2c0 192.168.254.11

Solution: Some of the steps from the SK39047 linked below were used.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39047&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

What I ended up doing on firewall-1 was…

1)	 cpconfig > option 7 >  Disable cluster membership for this gateway
2)	cpconfig > option 7 >  Enable cluster membership for this gateway
3)	reboot

Afterwards, I had a sync interface on firewall-1. I plan to perform the same function on firewall-2. However, a disruptive failover from firewall-2 to firewall-1 will be required. Since state sync is broken, the failover will severe any statefull connections traversing the upper-rail.

After the procedure above was run…

firewall-1[admin]# cphaprob -a if
eth-s1p1c0      non sync(non secured)
eth-s1p2c0      non sync(non secured)
eth-s4p1c0      non sync(non secured)
ae1c0           sync(secured), multicast                     <<< hurray!!!
Virtual cluster interfaces: 2
eth-s1p1c0      192.168.100.12
eth-s1p2c0      192.168.254.11
firewall-1[admin]# cphaprob stat
Cluster Mode:   Sync only (IPSO cluster)
Number     Unique Address  Firewall State (*)
1 (local)  1.1.1.1         Active                                     <<<< whoopee!!!