Checkpoint firewall Clusterxl Fault fib problem problem solving

Source: Internet
Author: User
Tags snmp

checkpoint firewall Clusterxl fault fib problem Problem Solving


office network has two checkpoint firewall to do cluster HA main standby mode, custer-ha appearthe symptom is as follows (one of the CP-248 states is Down, while CP-246 forActive), causingCP-246and theCP-248of theClusterof theHAready to switch is unsuccessful.


[njzq-cp-248]# cphaprob Stat

Cluster mode:new High Availability (Active up)

Number Unique Address Assigned Load State

1 19.19.19.246 100% Active

2 (local) 19.19.19.248 0% down

[njzq-cp-248]# cphaprob list // This command is useful for locating the CP firewall cluster Key components of monitoring (CP is called Device)

Built-in Devices:

Device name:interface Active Check

Current State:ok

Registered Devices:

Device name:synchronization

Registration number:0

Timeout:none

Current State:ok

Time since last report:705.3 sec

Device Name:filter

Registration number:1

Timeout:none

Current State:ok

Time since last report:699.2 sec

Device Name:cphad

Registration Number:2

Timeout:2 sec

Current State:ok

Time since last report:0.6 sec

Device NAME:FWD

Registration Number:3

Timeout:2 sec

Current State:ok

Time since last report:0.4 sec

Device Name:fib

Registration Number:4

Timeout:none

Current state: problem

Time since last report:1 sec

corresponding to the CP-246 is displayed as follows:

[njzq-cp-246]# cphaprob Stat

Cluster mode:new High Availability (Active up)

Number Unique Address Assigned Load State

1 (local) 19.19.19.246 100% Active

2 19.19.19.248 0% down


and find the corresponding CP-246 of the Cphaprob List The display does not have an exception. OK.

[Email protected]]# cphaprob List

Built-in Devices:

Device name:interface Active Check

Current State:ok

Registered Devices:

Device name:synchronization

Registration number:0

Timeout:none

Current state: OK

Time since last report:3077.4 sec

Device Name:filter

Registration number:1

Timeout:none

Current state: OK

Time since last report:3071.4 sec

Device Name:cphad

Registration Number:2

Timeout:2 sec

Current state: OK

Time since last report:0.2 sec

Device NAME:FWD

Registration Number:3

Timeout:2 sec

Current state: OK

Time since last report:0.8 sec


after discovering the above fault phenomena, the CP-248 of the Clusterxl Restart the following:

[njzq-cp-248]# Expert

Enter Expert Password:

You is in the expert mode now.

[Email protected]]# clusterxl_admin down

Setting member to administratively downstate ...

Member Current state was down

[[Email protected]]# clusterxl_admin up

Setting member to normal operation ...

Member Current state was down

Operation failed: member is still down, run ' cphaproblist ' for further details

After a reboot, it is still unsuccessful.

find a solution from the Web: compare two FW of the Cpconfig Configuration Entry Discovery:

[njzq-cp-246]# Expert

Enter Expert Password:

You is in the expert mode now.

[[email protected]] # Cpconfig

This program would let you re-configure

Your Check point products configuration.

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) Pkcs#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable cluster Membership for the This Gateway

(7) Configure Check Point Corexl

(8) Automatic start of Check Point products

(9) Exit

Enter your choice (1-9):

[njzq-cp-248]# Expert

Enter Expert Password:

You is in the expert mode now.

[[email protected]]# Cpconfig

This program would let you re-configure

Your Check point products configuration.

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) Pkcs#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable advanced Routing // Note that this part of the firewall and cp-246 Firewall inconsistencies, and when is already in the open state before.

(7) Disable cluster Membership for the This Gateway

(8) Configure Check Point Corexl

(9) Automatic start of Check Point products

(Ten) Exit

Enter your choice (1-10) : 6 // here Select 6, enter, the advanced Routing function disable off.

Disable Advanced Routing ...

============================

You are selected to disable advancedrouting.

areyou sure? (y/n) [y]? Y // input y

In order to accomplish the action, CheckPoint services should is restarted.

Restart now? (y/n) [y]? Y // Enter y, the following shows The service restart process for CP.

Advanced Routing Suite are now stopped

Stopping SmartView Monitor daemon ...

SmartView Monitor Daemon is not running

Stopping SmartView Monitor kernel ...

Driver is down.

Rtmstop:smartview Monitor Kernel is notloaded

FloodGate-1 is already stopped.

Vpn-1/fw-1 stopped

SVN FOUNDATION:CPD stopped

SVN Foundation:cpwatchdog stopped

SVN Foundation stopped

Cpstart:power-up Self tests passedsuccessfully

Cpstart:starting PRODUCT-SVN Foundation

SVN foundation:starting Cpwatchdog

SVN foundation:starting CPD

SVN Foundation started

Cpstart:starting product-vpn-1

FIREWALL-1: Starting external VPN module--ok

FIREWALL-1: Starting FWD

Installing Security policyoffice-cluster-policy on [email protected]

Fetching Security Policy from localhostsucceeded

Fetching Security Policy from:221.226.154.195 192.168.200.173

Local Policy is up-to-date.

Thepolicy was wasn't installed because it is the same as the Policy already on Themodule.

FIREWALL-1: Enabling Bridge forwarding

FireWall-1 started

Cpstart:starting product-floodgate-1

FloodGate-1 is disabled. If you wish Tostart the service, please run ' etmstart enable '.

Cpstart:starting Product-smartviewmonitor

SmartView Monitor:not Active

Cpstart:starting product-advancedrouting

Advanced Routing are not enabled. Please use the ' cpconfig ' to enable it.

Advanced Routing was successfully disabled

Configuration Options:

----------------------

(1) Licenses and contracts

(2) SNMP Extension

(3) Pkcs#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Enable Advanced Routing

(7) Disable cluster Membership for the This Gateway

(8) Configure Check Point Corexl

(9) Automatic start of Check Point products

(Ten) Exit

CP-248 after rebooting, view Cluster status, immediately resumed normal.

[Email protected]]# cphaprob Stat

Cluster mode:new High Availability (Active up)

Number Unique Address Assigned Load State

1 221.226.154.195 100% Active

2 (local) 19.19.19.248 0% Standby

[[Email protected]]#

View CP-246 , view Cluster The status is as follows:

[Email protected]]# cphaprob Stat

Cluster mode:new High Availability (Active up)

Number Unique Address Assigned Load State

1 (local) 19.19.19.246 100% Active

2 19.19.19.248 0% Standby

[[Email protected]]#


At this point, the two CP firewall cluster has been successful, the main standby switching is normal.


This article is from the "emulate snail" blog, please be sure to keep this source http://jeffsoung.blog.51cto.com/392776/1681212

Checkpoint firewall Clusterxl Fault fib problem problem solving

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.