checkpoint firewall Clusterxl fault fib problem Problem Solving
office network has two checkpoint firewall to do cluster HA main standby mode, custer-ha appearthe symptom is as follows (one of the CP-248 states is Down, while CP-246 forActive), causingCP-246and theCP-248of theClusterof theHAready to switch is unsuccessful.
[njzq-cp-248]# cphaprob Stat
Cluster mode:new High Availability (Active up)
Number Unique Address Assigned Load State
1 19.19.19.246 100% Active
2 (local) 19.19.19.248 0% down
[njzq-cp-248]# cphaprob list // This command is useful for locating the CP firewall cluster Key components of monitoring (CP is called Device)
Built-in Devices:
Device name:interface Active Check
Current State:ok
Registered Devices:
Device name:synchronization
Registration number:0
Timeout:none
Current State:ok
Time since last report:705.3 sec
Device Name:filter
Registration number:1
Timeout:none
Current State:ok
Time since last report:699.2 sec
Device Name:cphad
Registration Number:2
Timeout:2 sec
Current State:ok
Time since last report:0.6 sec
Device NAME:FWD
Registration Number:3
Timeout:2 sec
Current State:ok
Time since last report:0.4 sec
Device Name:fib
Registration Number:4
Timeout:none
Current state: problem
Time since last report:1 sec
corresponding to the CP-246 is displayed as follows:
[njzq-cp-246]# cphaprob Stat
Cluster mode:new High Availability (Active up)
Number Unique Address Assigned Load State
1 (local) 19.19.19.246 100% Active
2 19.19.19.248 0% down
and find the corresponding CP-246 of the Cphaprob List The display does not have an exception. OK.
[Email protected]]# cphaprob List
Built-in Devices:
Device name:interface Active Check
Current State:ok
Registered Devices:
Device name:synchronization
Registration number:0
Timeout:none
Current state: OK
Time since last report:3077.4 sec
Device Name:filter
Registration number:1
Timeout:none
Current state: OK
Time since last report:3071.4 sec
Device Name:cphad
Registration Number:2
Timeout:2 sec
Current state: OK
Time since last report:0.2 sec
Device NAME:FWD
Registration Number:3
Timeout:2 sec
Current state: OK
Time since last report:0.8 sec
after discovering the above fault phenomena, the CP-248 of the Clusterxl Restart the following:
[njzq-cp-248]# Expert
Enter Expert Password:
You is in the expert mode now.
[Email protected]]# clusterxl_admin down
Setting member to administratively downstate ...
Member Current state was down
[[Email protected]]# clusterxl_admin up
Setting member to normal operation ...
Member Current state was down
Operation failed: member is still down, run ' cphaproblist ' for further details
After a reboot, it is still unsuccessful.
find a solution from the Web: compare two FW of the Cpconfig Configuration Entry Discovery:
[njzq-cp-246]# Expert
Enter Expert Password:
You is in the expert mode now.
[[email protected]] # Cpconfig
This program would let you re-configure
Your Check point products configuration.
Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) Pkcs#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster Membership for the This Gateway
(7) Configure Check Point Corexl
(8) Automatic start of Check Point products
(9) Exit
Enter your choice (1-9):
[njzq-cp-248]# Expert
Enter Expert Password:
You is in the expert mode now.
[[email protected]]# Cpconfig
This program would let you re-configure
Your Check point products configuration.
Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) Pkcs#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable advanced Routing // Note that this part of the firewall and cp-246 Firewall inconsistencies, and when is already in the open state before.
(7) Disable cluster Membership for the This Gateway
(8) Configure Check Point Corexl
(9) Automatic start of Check Point products
(Ten) Exit
Enter your choice (1-10) : 6 // here Select 6, enter, the advanced Routing function disable off.
Disable Advanced Routing ...
============================
You are selected to disable advancedrouting.
areyou sure? (y/n) [y]? Y // input y
In order to accomplish the action, CheckPoint services should is restarted.
Restart now? (y/n) [y]? Y // Enter y, the following shows The service restart process for CP.
Advanced Routing Suite are now stopped
Stopping SmartView Monitor daemon ...
SmartView Monitor Daemon is not running
Stopping SmartView Monitor kernel ...
Driver is down.
Rtmstop:smartview Monitor Kernel is notloaded
FloodGate-1 is already stopped.
Vpn-1/fw-1 stopped
SVN FOUNDATION:CPD stopped
SVN Foundation:cpwatchdog stopped
SVN Foundation stopped
Cpstart:power-up Self tests passedsuccessfully
Cpstart:starting PRODUCT-SVN Foundation
SVN foundation:starting Cpwatchdog
SVN foundation:starting CPD
SVN Foundation started
Cpstart:starting product-vpn-1
FIREWALL-1: Starting external VPN module--ok
FIREWALL-1: Starting FWD
Installing Security policyoffice-cluster-policy on [email protected]
Fetching Security Policy from localhostsucceeded
Fetching Security Policy from:221.226.154.195 192.168.200.173
Local Policy is up-to-date.
Thepolicy was wasn't installed because it is the same as the Policy already on Themodule.
FIREWALL-1: Enabling Bridge forwarding
FireWall-1 started
Cpstart:starting product-floodgate-1
FloodGate-1 is disabled. If you wish Tostart the service, please run ' etmstart enable '.
Cpstart:starting Product-smartviewmonitor
SmartView Monitor:not Active
Cpstart:starting product-advancedrouting
Advanced Routing are not enabled. Please use the ' cpconfig ' to enable it.
Advanced Routing was successfully disabled
Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) Pkcs#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Advanced Routing
(7) Disable cluster Membership for the This Gateway
(8) Configure Check Point Corexl
(9) Automatic start of Check Point products
(Ten) Exit
CP-248 after rebooting, view Cluster status, immediately resumed normal.
[Email protected]]# cphaprob Stat
Cluster mode:new High Availability (Active up)
Number Unique Address Assigned Load State
1 221.226.154.195 100% Active
2 (local) 19.19.19.248 0% Standby
[[Email protected]]#
View CP-246 , view Cluster The status is as follows:
[Email protected]]# cphaprob Stat
Cluster mode:new High Availability (Active up)
Number Unique Address Assigned Load State
1 (local) 19.19.19.246 100% Active
2 19.19.19.248 0% Standby
[[Email protected]]#
At this point, the two CP firewall cluster has been successful, the main standby switching is normal.
This article is from the "emulate snail" blog, please be sure to keep this source http://jeffsoung.blog.51cto.com/392776/1681212
Checkpoint firewall Clusterxl Fault fib problem problem solving