Shulou(Shulou.com)06/01 Report--

FIB Problem solution to ClusterXL failure of Checkpoint Firewall

The office network has two CheckPoint firewalls to do the HA active and standby mode of cluster, and the Custer-HA failure phenomenon is as follows (one of the CP-248 status is down and the other CP-246 is active), resulting in unsuccessful HA preparation switching of CP-246 and CP-248 cluster.

[NJZQ-CP-248] # cphaprob stat

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 19.19.19.246% Active

2 (local) 19.19.19.248 0% Down

[NJZQ-CP-248] # cphaprob list / / this command is very useful to find out the key components of CP firewall cluster monitoring (cp is called Device)

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Registered Devices:

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 705.3 sec

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 699.2 sec

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.6 sec

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.4 sec

Device Name: FIB

Registration number: 4

Timeout: none

Current state: problem

Time since last report: 1 sec

The corresponding CP-246 is displayed as follows:

[NJZQ-CP-246] # cphaprob stat

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 (local) 19.19.19.246% Active

2 19.19.19.248 0% Down

And found that the cphaprob list display of the corresponding CP-246 is not abnormal, all of them are OK.

[Expert@NJZQ-CP-246] # cphaprob list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Registered Devices:

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 3077.4 sec

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 3071.4 sec

Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.2 sec

Device Name: fwd

Registration number: 3

Timeout: 2 sec

Current state: OK

Time since last report: 0.8 sec

After the above failure phenomena are found, restart the clusterXL of CP-248 as follows:

[NJZQ-CP-248] # expert

Enter expert password:

You are in expert mode now.

[Expert@NJZQ-CP-248] # clusterXL_admin down

Setting member to administratively downstate...

Member current state is Down

[Expert@NJZQ-CP-248] # clusterXL_admin up

Setting member to normal operation...

Member current state is Down

Operation failed: member is still down, run 'cphaproblist' for further details

After rebooting, it is still unsuccessful.

Find a solution online: compare the cpconfig configuration entries of the two fw and find:

[NJZQ-CP-246] # expert

Enter expert password:

You are in expert mode now.

[Expert@NJZQ-CP-246] # cpconfig

This program will let you re-configure

Your Check Point products configuration.

Configuration Options:

--

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable cluster membership for this gateway

(7) Configure Check Point CoreXL

(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9):

[NJZQ-CP-248] # expert

Enter expert password:

You are in expert mode now.

[Expert@NJZQ-CP-248] # cpconfig

This program will let you re-configure

Your Check Point products configuration.

Configuration Options:

--

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Disable Advanced Routing / / notes that this part is inconsistent with the CP-246 firewall and is currently on.

(7) Disable cluster membership for this gateway

(8) Configure Check Point CoreXL

(9) Automatic start of Check Point Products

(10) Exit

Enter your choice (1-10): 6 / / Select 6 here, enter and disable the Advanced Routing function.

Disable Advanced Routing...

= =

You have selected to disable advancedrouting.

Areyou sure? (YBO) [y]? Y / / enter y

In order to accomplish the action, CheckPoint services should be restarted.

Restart now? (YBO) [y]? Enter y / / and the service restart process of CP is shown below.

Advanced Routing Suite is now stopped

Stopping SmartView Monitor daemon...

SmartView Monitor daemon is not running

Stopping SmartView Monitor kernel...

Driver is Down.

Rtmstop: SmartView Monitor kernel is notloaded

FloodGate-1 is already stopped.

× × ×-1/FW-1 stopped

SVN Foundation: cpd stopped

SVN Foundation: cpWatchDog stopped

SVN Foundation stopped

Cpstart: Power-Up self tests passedsuccessfully

Cpstart: Starting product-SVN Foundation

SVN Foundation: Starting cpWatchDog

SVN Foundation: Starting cpd

SVN Foundation started

Cpstart: Starting product-× ×-1

FireWall-1: starting external × × × module-- OK

FireWall-1: Starting fwd

Installing Security PolicyOffice-Cluster-Policy on all.all@NJZQ-CP-248

Fetching Security Policy from localhostsucceeded

Fetching Security Policy From:221.226.154.195 192.168.200.173

Local Policy is Up-To-Date.

ThePolicy was not installed because it is the same as the Policy already on theModule.

FireWall-1: enabling bridge forwarding

FireWall-1 started

Cpstart: Starting product-FloodGate-1

FloodGate-1 is disabled. If you wish tostart the service, please run 'etmstart enable'.

Cpstart: Starting product-SmartViewMonitor

SmartView Monitor: Not active

Cpstart: Starting product-AdvancedRouting

Advanced Routing is not enabled. Please use'cpconfig' to enable it.

Advanced Routing was successfully disabled

Configuration Options:

--

(1) Licenses and contracts

(2) SNMP Extension

(3) PKCS#11 Token

(4) Random Pool

(5) Secure Internal Communication

(6) Enable Advanced Routing

(7) Disable cluster membership for this gateway

(8) Configure Check Point CoreXL

(9) Automatic start of Check Point Products

(10) Exit

After CP-248 restarts, check the status of cluster and immediately return to normal.

[Expert@NJZQ-CP-248] # cphaprob stat

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 221.226.154.195 100% Active

2 (local) 19.19.19.248 0% Standby

[Expert@NJZQ-CP-248] #

Check the CP-246 and check the cluster status as follows:

[Expert@NJZQ-CP-246] # cphaprob stat

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 (local) 19.19.19.246% Active

2 19.19.19.248 0% Standby

[Expert@NJZQ-CP-246] #

So far, the Cluster of the two CP firewalls has been successful, and the active / standby switching is normal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.