Difference between revisions of "Management High Availability Synchronizaton failure"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Solution)
(Solution)
 
(One intermediate revision by one user not shown)
Line 33: Line 33:
  
  
After the sync was successful, the cpca on the secondary cma should start on its own.
+
After the sync is successful, the cpca on the secondary cma should start on its own.
  
 
  [Expert@provider-1]# mdsstat                            |
 
  [Expert@provider-1]# mdsstat                            |
Line 43: Line 43:
 
  | CMA | cma-primary    |  192.168.1.2    | up 21716  | up 21715 | up 21705 | '''up 21785''' |
 
  | CMA | cma-primary    |  192.168.1.2    | up 21716  | up 21715 | up 21705 | '''up 21785''' |
  
+-----+----------------+-----------------+------------+----------+----------+----------+
+
Problem solved.
| Type| Name          | IP address      | FWM        | FWD      | CPD      | CPCA    |
+
   
+-----+----------------+-----------------+------------+----------+----------+----------+
+
| MDS |        -      | 192.168.1.1    | up 3421    | up 3420  | up 3419  | up 3956  |
+
  +-----+----------------+-----------------+------------+----------+----------+----------+
+
| CMA | cma-primary    |  192.168.1.2    | up 21716  | up 21715 | up 21705 | '''down'''    |
+
 
+
 
[[category:check point]]
 
[[category:check point]]
 
[[category:smartcenter]]
 
[[category:smartcenter]]

Latest revision as of 07:09, 21 May 2013

Problem description

  • Management HA is failing to sync the secondary CMA via SmartDashboard > Policy > Management High Availability
  • Error message: "Failed to receive current status. Reason: 'Management High Availability feature is not enabled.

chkp mgmt ha sync error.png

  • The smart_center_backup parameter in the objects_5_0.C is false when it should be true
[Expert@provider-1]# mdsenv cma-primary
[Expert@provider-1]# cpmiquerybin attr "" network_objects "management='true'" -a __name__,smart_center_backup
cma-primary true
cma-secondary       false
  • The secondary CMA is newly created and has never been synchronized. Synchronization during the CMA creating failed.
  • Error messages from cpca.elg of the secondary cma:
main: could not initiate the Certificate Authority. No Certificate Authority existing
  • The cpca process on the secondary CMA is down and fails to start.
[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary    |  192.168.1.2    | up 21716   | up 21715 | up 21705 | down     |

Solution

  • Change the smart_center_backup parameter to true using dbedit, gui-dbedit or by editing the objects_5_0.C file.

One the primary cma

  1. stop cma
  2. mdsenv cma-primary
  3. rm $FWDIR/conf/mgha/*
  4. start cma
  5. Manually synchronized the secondary via SmartDashboard > Policy > Management HighAvailability


After the sync is successful, the cpca on the secondary cma should start on its own.

[Expert@provider-1]# mdsstat                             |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name           | IP address      | FWM        | FWD      | CPD      | CPCA     |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS |        -       | 192.168.1.1     | up 3421    | up 3420  | up 3419  | up 3956  |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA | cma-primary    |  192.168.1.2    | up 21716   | up 21715 | up 21705 | up 21785 |
Problem solved.