Difference between revisions of "Management High Availability Synchronizaton failure"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Problem description)
(Solution)
Line 31: Line 31:
 
# start cma
 
# start cma
 
# Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability
 
# Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability
 +
  
 
After the sync was successful, the cpca on the secondary cma should start on its own.
 
After the sync was successful, the cpca on the secondary cma should start on its own.
 +
 +
[Expert@provider-1]# mdsstat                            |
 +
+-----+----------------+-----------------+------------+----------+----------+----------+
 +
| Type| Name          | IP address      | FWM        | FWD      | CPD      | CPCA    |
 +
+-----+----------------+-----------------+------------+----------+----------+----------+
 +
| MDS |        -      | 192.168.1.1    | up 3421    | up 3420  | up 3419  | up 3956  |
 +
+-----+----------------+-----------------+------------+----------+----------+----------+
 +
| CMA | cma-primary    |  192.168.1.2    | up 21716  | up 21715 | up 21705 | '''up 21785'''  |
 +
 +
[[category:check point]]
 +
[[category:smartcenter]]

Revision as of 07:05, 21 May 2013

Problem description

  • Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability
  • Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled.

chkp mgmt ha sync error.png

  • The smart_center_backup parameter in the objects_5_0.C is false when it should be true
[Expert@provider-1]# mdsenv cma-primary
[Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup
cma-primary true
cma-secondary       false
  • The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed.
  • Error messages from cpca.elg of the secondary cma:
main: could not initiate the Certificate Authority. No Certificate Authority existing
  • The cpca process on the secondary CMA is down and fails to start.
[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary    |  192.168.1.2    | up 21716   | up 21715 | up 21705 | down     |

Solution

  • Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file.

One the primary cma

  1. stop cma
  2. mdsenv cma-primary
  3. rm $FWDIR/conf/mgha/*
  4. start cma
  5. Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability


After the sync was successful, the cpca on the secondary cma should start on its own.

[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary | 192.168.1.2 | up 21716 | up 21715 | up 21705 | up 21785 |