Management High Availability Synchronizaton failure

From cpwiki.net
Revision as of 07:05, 21 May 2013 by Nighthawk (Talk | contribs)

Jump to: navigation, search
Check Point Profressional Services

Problem description

  • Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability
  • Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled.

chkp mgmt ha sync error.png

  • The smart_center_backup parameter in the objects_5_0.C is false when it should be true
[Expert@provider-1]# mdsenv cma-primary
[Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup
cma-primary true
cma-secondary       false
  • The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed.
  • Error messages from cpca.elg of the secondary cma:
main: could not initiate the Certificate Authority. No Certificate Authority existing
  • The cpca process on the secondary CMA is down and fails to start.
[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary    |  192.168.1.2    | up 21716   | up 21715 | up 21705 | down     |

Solution

  • Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file.

One the primary cma

  1. stop cma
  2. mdsenv cma-primary
  3. rm $FWDIR/conf/mgha/*
  4. start cma
  5. Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability


After the sync was successful, the cpca on the secondary cma should start on its own.

[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | up 21785 |