Check point state sync interface problem

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services

Problem description

State table sync was not working between firewall-1 and firewall-2 after upgrading from R65 to R70.1. Fw ctl pstat showed sync packets sent, but zero received on both firewalls. The aggregate link was setup properly in IPSO and the firewalls could ping each other’s sync interfaces. The real problem symptom was that the firewall didn’t recognize any of its interfaces as being sync interfaces as seen below.

Also, the configuration of the firewalls was double checked by Mark Stapp and Check Point support. All firewall configurations appeared to be correct.

Symptoms

1) Local cpha shows down

Example: 

 firewall-1[admin]# cphaprob stat
 Cluster Mode:   Sync only (IPSO cluster)
 Number     Unique Address  Firewall State (*)
 2 (local)  none            Down

2) Cpha interface listing show no sync interfaces configured. However; state sync is enabled properly on the firewall cluster object in the topology and 3rd party configuration options.

Example: 

 firewall-2[admin]# cphaprob -a if
 eth-s4p1c0      non sync(non secured)
 eth-s1p1c0      non sync(non secured)
 eth-s1p2c0      non sync(non secured)
 ae1c0           non sync(non secured)

 Warning: Sync will not function since there aren't any sync(secured) interfaces

 Virtual cluster interfaces: 2

 eth-s1p1c0      192.168.100.12
 eth-s1p2c0      192.168.254.11

Solution: Some of the steps from the SK39047 linked below were used.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39047&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

What I ended up doing on firewall-1 was… 

1)	 cpconfig > option 7 >  Disable cluster membership for this gateway
2)	cpconfig > option 7 >  Enable cluster membership for this gateway
3)	reboot

Afterwards, I had a sync interface on firewall-1. I plan to perform the same function on firewall-2. However, a disruptive failover from firewall-2 to firewall-1 will be required. Since state sync is broken, the failover will severe any statefull connections traversing the upper-rail.

After the procedure above was run… 

firewall-1[admin]# cphaprob -a if

eth-s1p1c0      non sync(non secured)
eth-s1p2c0      non sync(non secured)
eth-s4p1c0      non sync(non secured)
ae1c0           sync(secured), multicast                     <<< hurray!!!

Virtual cluster interfaces: 2

eth-s1p1c0      192.168.100.12
eth-s1p2c0      192.168.254.11

firewall-1[admin]# cphaprob stat

Cluster Mode:   Sync only (IPSO cluster)

Number     Unique Address  Firewall State (*)

1 (local)  1.1.1.1         Active                                     <<<< whoopee!!!
Retrieved from "http://www.cpwiki.net/index.php?title=Check_point_state_sync_interface_problem&oldid=25"