topic Re: CDT leaving mvc enabled on 1 cluster node? in Firewall and Security Management

CDT leaving mvc enabled on 1 cluster node?

Lloyd_Braun — Mon, 28 Aug 2023 20:25:12 GMT

I am noticing

mvc on

in a bunch of my r81.10 firewall cluster nodes' $FWDIR/boot/ha_boot.conf files. It is only enabled for 1 node of the cluster, so the $FWDIR/boot/ha_boot.conf files are not consistent between cluster members. These were upgraded r80.30 to r81.10 via Central Deployment Tool. Is anyone else seeing this behavior from CDT?

I am not noticing any impact yet except fw tab -t connections -s output shows the connection table counts about 20% off, between active/standby nodes. Usually these numbers would be a lot closer as far as I recall.

Re: CDT leaving mvc enabled on 1 cluster node?

PhoneBoy — Mon, 28 Aug 2023 23:57:05 GMT

In a cluster, MVC is not enabled on the last cluster node to get upgraded.
Which means, in a two node cluster, only one node will have MVC enabled.
Seems like expected behavior to me.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/MVC-Upgrade-of-ClusterXL-GW-mode.htm?tocpath=Upgrade%20of%20Security%20Gateways%20and%20Clusters%7CUpgrading%20ClusterXL%252C%20VSX%20Cluster%252C%20or%20VRRP%20Cluster%7CMulti-Version%20Cluster%20(MVC)%20Upgrade%7C_____4

Re: CDT leaving mvc enabled on 1 cluster node?

Lloyd_Braun — Tue, 29 Aug 2023 12:19:16 GMT

I would expect the Central Deployment Tool to perform step #16, (disable the MVC mechanism.) It is leaving MVC enabled (when upgrade has completed) on all the clusters I've checked.

Re: CDT leaving mvc enabled on 1 cluster node?

mahmods — Tue, 29 Aug 2023 13:52:50 GMT

Hi @Lloyd_Braun ,

which version of CDT are you using?
in CDT V1.9.7 (GA version) the expected behavior is to turn off MVC on the cluster members after completing the fail-over if the cluster version is R80.40 until R81.10

can you please share the CDT logs in private to my email for further investigation? send it please to: mahmods@checkpoint.com

CDT saves its log files in this location on the Management Server:

/var/log/CPcdt/logs_<YYYY-MM-DD-HH-mm-ss>/

Thanks.

Re: CDT leaving mvc enabled on 1 cluster node?

Lloyd_Braun — Tue, 29 Aug 2023 15:38:52 GMT

this is an MDS

./CentralDeploymentTool -v
Central Deployment Tool (version 1.9.2 build #990180607)

I'm not seeing CDT logs at MDS or CMA levels

Re: CDT leaving mvc enabled on 1 cluster node?

mahmods — Wed, 30 Aug 2023 05:55:56 GMT

Hi @Lloyd_Braun ,

i strongly advice you to update CDT to the GA version (CDT V1.9.7).

https://support.checkpoint.com/results/sk/sk111158

using the updated version of CDT is very important in order to avoid such issues.

if the issue reproduced after using CDT V1.9.7 please let me know via email.

Thanks.

Re: CDT leaving mvc enabled on 1 cluster node?

Lloyd_Braun — Wed, 30 Aug 2023 20:05:17 GMT

That sounds reasonable. I was assuming that code was updated automagically with JHF application so it looks like we're several revs back.

Thanks!