topic Re: 81.20 Logging issue after cluster switch in Firewall and Security Management

81.20 Logging issue after cluster switch

frenzetti — Fri, 28 Feb 2025 11:52:35 GMT

Hi mates,

after updating the secure gateway version from 81.20 to 81.20 take 92 we are facing a strange problem on securegateway node
One of the two cluster nodes sends logs to management only if it is in STANDBY state.
If it is "promoted" to ACTIVE it stops sending logs to management

This is the output of the cpstat fw -f log_connection command when the node is STANDBY
Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Logs are written to log server
Local Logging Mode Status: 0
Local Logging Sending Rate: 0
Log Handling Rate: 0

This is the output of the same command when the node becomes ACTIVE
Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Error - not writing logs
Local Logging Mode Status: 5
Local Logging Sending Rate: 0
Log Handling Rate: 0

the reason is: Log-Server Disconnected

Anyone else has experienced the same issue?

Re: 81.20 Logging issue after cluster switch

AkosBakos — Fri, 28 Feb 2025 12:54:21 GMT

Hi @frenzetti

Can you access the Active and Standby gateways on port tcp257 from the MGMT server on the node IPs?

#telnet <ip> 257

And reverse? From both gateways to the SMartCenter (or Log)

Akos

Re: 81.20 Logging issue after cluster switch

the_rock — Fri, 28 Feb 2025 13:08:18 GMT

One easy fix (if it works) would be to try run fw logswitch on the gateways. Otherwise, just check what @AkosBakos suggested, and also, you can go through below sk.

Andy

https://support.checkpoint.com/results/sk/sk40090

Re: 81.20 Logging issue after cluster switch

frenzetti — Fri, 28 Feb 2025 14:59:28 GMT

Thx AkosBakos for your reply.

We are able to reach both nodes from management and viceversa.

Logging is ok until we switch the cluster and node2 becomes active.

As soon the second node becomes active the issue arises

Re: 81.20 Logging issue after cluster switch

frenzetti — Fri, 28 Feb 2025 15:01:06 GMT

Thx to you too, The Rock.

I will schedule a test (and other checks) next week. W.E. is a freeze-activities slot for customer

Thx again

Re: 81.20 Logging issue after cluster switch

the_rock — Fri, 28 Feb 2025 15:10:51 GMT

No worries. Btw, for what its worth, there is an old "trick" people would do in the old days to get logging working. It would not always be successful, but I find at least 80% of the time.

Basically, what you do is create CP host, NOT regular host, but host that looks like mgmt object and you enable ONLY logging and then save it, give same IP as mgmt and then, you go to logging settings of your gw object, set logging to log to that new object and push policy.

If that works, you give it a bit of time and then switch back to log to regular mgmt, if it works, awesome, then you can delete the new host object.

I attached 3 screenshots for the reference.

Andy

Re: 81.20 Logging issue after cluster switch

frenzetti — Thu, 06 Mar 2025 16:18:41 GMT

Just an update on topic
CP support discovered full log buffer error log and suggested applying SK52100.