topic Re: 5400 Appliances losing Routing-Connection after reboot in Firewall and Security Management

5400 Appliances losing Routing-Connection after reboot

Roadrunner88 — Wed, 13 Nov 2024 07:51:37 GMT

Hello,

we`ve installed two 5400 Firewalls running in a clusterXL, currently running on R80.10.

The Firewalls have been fully configured and policy is installed without errors on both sides (via management server).

After a planned reboot of one of the Firewalls, the firewall is not reachable anymore by IP from foreign networks.

Its only possible to reach it by IP via the directly connected Core Switch, which is the Gateway for the used network.

When I make a Ping from one of the Firewall to an outside network, it reports error:

abcd> ping xxxxxxxxx
connect: Network is unreachable

The ping to the Gateway IP is working

As I said, the firewall was fully configured, reachable and working (default route was set)

It seems like IP forwarding is disabled or something like that.

How can I fix this?

Why does it happen?

Thanks!

Re: 5400 Appliances losing Routing-Connection after reboot

emmap — Wed, 13 Nov 2024 08:48:40 GMT

Your version is quite out of support, but I'd suggest starting with some layer 2 and 3 troubleshooting - is the default route in the table properly? Does the appliance have an ARP entry for the default route? Can you ping local IPs?

Also, check the clustering - is there a pnote for routed?

Re: 5400 Appliances losing Routing-Connection after reboot

Roadrunner88 — Wed, 13 Nov 2024 08:58:32 GMT

The Firewalls have been new installed and the next step would be the upgrade to the current version, but we have now this problem.

As i wrote:

all was working, routing, reachability also from outside location
But after reboot I cant ping anyhting except the default gateway address

Arp entry on the appliance is present for the default GW address

Re: 5400 Appliances losing Routing-Connection after reboot

emmap — Wed, 13 Nov 2024 09:35:41 GMT

We recommend starting with a fresh install of your desired version off a USB key, rather than starting old and upgrading it. You'll get a cleaner install and better performance, as the file system on the disk will be newer and faster. An in-place upgrade (or clean install through CPUSE) will not upgrade the file system.

https://support.checkpoint.com/results/sk/sk65205

Re: 5400 Appliances losing Routing-Connection after reboot

Chris_Atkinson — Wed, 13 Nov 2024 09:59:18 GMT

Is there even a JHF on the machine currently?

I agree with Emma, between troubleshooting this (without TAC) and navigating the multi-step upgrade save yourself some time.

Re: 5400 Appliances losing Routing-Connection after reboot

Roadrunner88 — Wed, 13 Nov 2024 10:08:19 GMT

Hey there,

thanks for your help.
The Firewall sadly is on the other side of the world, no joke at this point its 12000km away 🙂

I will try to find someone who can manage this upgrade as you suggested.

I will come back if the problem persists after upgrade.

Re: 5400 Appliances losing Routing-Connection after reboot

the_rock — Wed, 13 Nov 2024 23:39:19 GMT

I read all that was said here and Im almost 100% positive the upgrade here may not solve much, specially if the error says what you wrote, network is unreachable. Yes, I agree with both Emma and Chris, version is totally unsupported, but first, before you upgrade, routing should be fixed. Personally, you could be on R55 or R82, if routing is broken, it wont make any difference,

Lets start with basics here...if you run this command from expert mode -> ip r g 8.8.8.8, what do you see? Does it look correct? Also, can you send output of just route command?

Best,

Andy

Re: 5400 Appliances losing Routing-Connection after reboot

Roadrunner88 — Thu, 14 Nov 2024 08:00:54 GMT

[Expert@xxxxxxxxxx:0]# ip r g 8.8.8.8
RTNETLINK answers: Network is unreachable

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
aa.xxxxxxx.0 * 255.255.255.252 U 0 0 0 bond1 <----- Sync Link
bbxxxxxx.0 * 255.255.255.240 U 0 0 0 eth2 <----- Uplink
cc.xxxxxx16 * 255.255.255.240 U 0 0 0 Mgmt <---------- MGMT
ddxxxxxxxx.0 * 255.255.255.0 U 0 0 0 eth1 <--------------LAN

the default gateway is not present, also after set route default command

it should look like that, shouldnt it?

Destination Gateway Genmask Flags Metric Ref Use Iface
default a.b.c.1 0.0.0.0 UG 0 0 0 xxxxxxx

so the question is, why the device is losing the defualt route and why i cant configure it again?

Re: 5400 Appliances losing Routing-Connection after reboot

emmap — Thu, 14 Nov 2024 08:10:44 GMT

Is routed running? Can you check the cluster pnotes?

Re: 5400 Appliances losing Routing-Connection after reboot

Roadrunner88 — Thu, 14 Nov 2024 09:02:12 GMT

can you help me with that?
how can I check this?

Re: 5400 Appliances losing Routing-Connection after reboot

emmap — Thu, 14 Nov 2024 10:10:53 GMT

cphaprob stat

cphaprob list

ps aux | grep routed

Re: 5400 Appliances losing Routing-Connection after reboot

the_rock — Thu, 14 Nov 2024 11:37:39 GMT

Ok, maybe silly question, but if you are setting DG via clish, are you running save config to save it?

Andy

Re: 5400 Appliances losing Routing-Connection after reboot

CheckPointerXL — Wed, 04 Dec 2024 22:13:03 GMT

1) is the default route ip into same interface's network?

2) are you sure you are not configurin a default route ip assigned to your interface?

Sorry for dumb question 🙂