topic Re: Issues Replacing/Upgrading Appliances in H/A Cluster in Firewall and Security Management

Issues Replacing/Upgrading Appliances in H/A Cluster

cmale — Mon, 23 Jun 2025 20:56:58 GMT

I currently have two 6600s in a H/A cluster. I am replacing these two appliances with two 9100s. Below is my current plan of attack, but I run into issues and cannot establish SIC on the second appliance and DNS stops resolving (Step 7).

Make sure FW-01 is active.
Unplug cables from the standby 6600 (FW-02).
Connect the cables to the new 9100 as the standby member with same settings as FW-02.
Install SIC, change cluster version, and install policy removing the check box.
Unplug cables from the active 6600 (FW-01).
1. The 9100 (FW-02) becomes active. (DNS stops resolving at this point. I can reach internal and external IPs from the appliance itself while I am consoling in, but not from a laptop hardwired into the network).
Connect the new 9100 with the same settings as FW-01.
Install SIC, and install policy adding the check box.

SIC will not install on the second replacement. I have tried rebooting and running fw unloadlocal. DNS does not resolve at this point and I am forced to revert.

Attached is what I see in SC for the first replacement (FW-02).

Does anyone see anything glaringly obvious?

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

G_W_Albrecht — Tue, 24 Jun 2025 08:34:27 GMT

Do both the old and new cluster nodes have the same Version and Jumbo Take installed ? If not, you have to use MVC during change.

Also see here:

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/m-p/69325#M5302

https://community.checkpoint.com/t5/Security-Gateways/Migrating-cluster-from-old-to-new-hardware/m-p/11364#M717

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

cmale — Tue, 24 Jun 2025 11:41:47 GMT

Same version, yes. I will have to double check the Jumbo Take. I did not mention that I plan to reuse IP addresses for the two appliances as well as hostnames. Those are already changed. I just plan to take down the standby, bring up the new replacement (with same IP and hostname). I am using the same cluster.

Thank you.

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

the_rock — Tue, 24 Jun 2025 18:09:47 GMT

That should be totally fine. As I mentioned in the other post where you initially asked about this issue, did you make sure 100% that routes are the same and sic port is communicating?

Andy

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

cmale — Tue, 24 Jun 2025 18:47:34 GMT

I will verify tomorrow evening during my scheduled maintenance window. One thing I did not double check are the interfaces and topology when I had the new appliances up, although I did set up everything in GAIA that way it was set up for the current 6600s. I will keep you posted.

These settings should carry over if I am using the same cluster as the 6600s, though, correct? Or would they change after I bring the 9100s up?

Thank you.

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

the_rock — Tue, 24 Jun 2025 19:10:09 GMT

Here is what I ALWAYS do with customers and never had a problem. So you generate clish config in a file, say for example from current fw in expert (say if its master, though name can be anything) -> clish -c "show configuration" > /var/log/masterfwconfig.txt

Get it off fw from winscp (you can enable ot by changing admin shell to bin bash with command chsh -s /bin/bash admin) and once you have the file downloaded, copy bits and pieces until donw to clish of new fw, just ommit parts say for mgmt interface, unless you have constant console to it, and you dont care for web UI access till its cutover. Then, manually download recommended jumbo from cp site, install it, reboot, then ENSURE config matches from existing to new fw by getting config file with same command and comparing the differences (you can do this in notepad++ or even compare it free download tool).

If this matches, there is no way you would have any problems, trust me. I had done this too many times not to be confident 100% in the process.

Andy

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

cmale — Tue, 24 Jun 2025 19:41:07 GMT

Thank you. I will give this a try.

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

the_rock — Tue, 24 Jun 2025 19:42:19 GMT

Please be free to message me directly if any issues, Im confident I can help you if you get stuck.

Andy

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

garrod — Wed, 25 Jun 2025 06:18:38 GMT

Hi,

Try to check from the CLI with cphaprob command. If no problem detected, mostly is the management cache unable to be cleared and not updating to the latest status from the gateway.

Or else, a deep configuration verification is required.

Regards,

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

the_rock — Thu, 26 Jun 2025 14:12:17 GMT

Hey mate,

How did it go last night? Did not see email from you, though I stayed up till 1 am just in case you needed help, so hope no news is GOOD news? 🙂

Andy

Re: Issues Replacing/Upgrading Appliances in H/A Cluster

the_rock — Thu, 26 Jun 2025 15:44:35 GMT

@cmale

I REALLY would love to help you get this working, so since you got my contact, please message me when you try this again tonight. Or, if you are around later, say 2 pm or so, we can have quick zoom meeting to go over things.

Let me know your thoughts.

Andy