cphaprob -a if show DOWN - Interface Active Check Current state: problem

fabiofabio — Fri, 06 Aug 2021 10:20:20 GMT

Hello everyone,
since yesterday I have a problem on the secondary gateway, every now and then it happens that it disconnects but then comes back up without problems (never understood why), this time it remained down. I have already followed these sks, (I also put an external link, forgive me if it is not allowed, notify me and I will remove it immediately)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121337

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114804

https://www.fir3net.com/Firewalls/Checkpoint/clusterxl-shows-active-attention-interface-active-check.html

none of these solved my problem. I leave below a couple of command outputs, the problematic interface is eth1:

(the eth1 interface is the one that reaches the outside, from which the whole network passes, one of the guides above explains to add the interface to the file $ FWDIR / conf / discntd.if but from what I understand, this file the does it exclude, so I would solve the error but not the malfunction problem, did I understand correctly? other thing, I did not do a cpstop / cpstart of both nodes, only the secondary one with problems, I did the push policy without errors and then I restarted the services but nothing. could i try with a reboot of the machine?)

[Expert@module2:0]# cphaprob state

Cluster Mode: High Availability (Primary Up) with IGMP Membership

Number Unique Address Assigned Load State

1 xxx.xxx.xxx.xxx 100% Active
2 (local) xxx.xxx.xxx.xxx 0% Down

Local member is in current state since Thu Aug 5 12:54:48 2021

[Expert@module2:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: problem

Device Name: Recovery Delay
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 11896.8 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 11896.8 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 11948.7 sec

Device Name: cphad
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 11949.9 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 11949 sec
Process Status: UP

Device Name: cvpnd
Registration number: 5
Timeout: none
Current state: OK
Time since last report: 0.2 sec

[Expert@module2:0]# cphaprob -a if

Required interfaces: 4
Required secured interfaces: 2

eth0 Disconnected non sync(non secured), multicast
eth1 DOWN (12060 secs) non sync(non secured), multicast
eth3 UP non sync(non secured), multicast
eth4 UP sync(secured), multicast
eth5 UP sync(secured), multicast
eth2 UP non sync(non secured), multicast

[Expert@module2:0]# clish -c "show interface eth1"
state on
mac-addr *********
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 100M
ipv6-autoconfig Not configured
duplex full
monitor-mode off
link-speed Not configured <---- on the primary node this is configured as: 1000M / full
comments
ipv4-address **********
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:6250676504 packets:56472844 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:10604148265 packets:120388569 errors:0 dropped:0 overruns:0 frame:0

[Expert@module2:0]# ethtool eth1
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: d
Current message level: 0x00000007 (7)
Link detected: yes

[Expert@module2:0]# ethtool -k eth1
Offload parameters for eth1:
Cannot get device udp large send offload settings: Operation not supported
Cannot get device GRO settings: Operation not supported
rx-checksumming: on
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off
generic-receive-offload: off

thanks in advance for the support

Re: cphaprob -a if show DOWN - Interface Active Check Current state: problem

PhoneBoy — Mon, 09 Aug 2021 01:12:12 GMT

What version/JHF level is this?
Also what specific appliance?

Is there a specific reason you are using two non-bonded interfaces for sync?
This has not been the best practice for some time.

Also the speed on eth1 on the secondary node shows as 100mb...is that correct?
What precisely is eth1 connected to on both appliances?
The mismatch in interfaces suggests a configuration/cabling issue.

Re: cphaprob -a if show DOWN - Interface Active Check Current state: problem

fabiofabio — Mon, 09 Aug 2021 06:30:49 GMT

you're right, it was a wiring mistake. it always worked but this time it got stuck, after several attempts, it was enough to unplug and reattach the cable from the switch and poof, it's back to work. thanks anyway for the support

topic cphaprob -a if show DOWN - Interface Active Check Current state: problem in Firewall and Security Management

cphaprob -a if show DOWN - Interface Active Check Current state: problem

Re: cphaprob -a if show DOWN - Interface Active Check Current state: problem

Re: cphaprob -a if show DOWN - Interface Active Check Current state: problem