topic Re: DNS error affecting CP updates in Firewall and Security Management

DNS error affecting CP updates

AndyDixon — Wed, 04 Dec 2019 11:20:32 GMT

Hello all.

My second question here. Hopefully I will supply all the necessary information.

My organisation has a ClusterXL HA pair of 5900 appliances running R80.20 Jumbo HF take 118. I have noticed on SmartConsole Gateways & Servers that the standby node is showing an error. Looking at the Device Status of the node, the IPS, Anti-Bot & Anti-Virus blades are displaying 'Error: Update failed. Contract entitlement check failed. Could not reach"updates.checkpoint.com". Check DNS and Proxy configuration on the gateway'.

I have connected via SSH to both nodes in the cluster and verified that I can ping external and internal endpoints from both nodes. I entered Expert mode on both nodes and ran dig against a known internal and external domain name. This was successful on the active node but failed on the problematic standby node with 'connection timed out; no servers could be reached'.

I power cycled the standby node this morning. I am now seeing Connection Alerts in the SmartConsole log for DNS queries originating from the problematic gateway. The reason is 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0)'. We are not using domain objects.

Both HA nodes have identical NAT and policy.

I have reviewed DNS Error Message but it does not appear relevant.

It may be unrelated, but there is a noticeable delay between entering the username and the password prompt appearing when accessing the problematic node via ssh.

I'm wondering what else I can test before pushing the issue out to TAC.

Thanks,

Andy

Re: DNS error affecting CP updates

mdjmcnally — Wed, 04 Dec 2019 11:34:28 GMT

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk43807&partition=Advanced&product=ClusterXL,

Is what would work through. The SK it relates too is more about access to the standby box.

Doesn't happen everytime but this SK has resolved everytime has happened, sometimes the kernel parameter enough other times have to do the Rules to Not Hide Traffic from the box behind the Cluster.

Re: DNS error affecting CP updates

Ruan_Kotze — Wed, 04 Dec 2019 11:53:11 GMT

Another vote for sk43807. Had a couple of instances where I had this exact issue, and step 4 of the aforementioned SK resolved it for me each time.

Re: DNS error affecting CP updates

AndyDixon — Wed, 04 Dec 2019 16:34:26 GMT

Thanks both.

I followed the SK you referenced and step 4 resolved the issue for me. Apologies, I didn't find that SK when I was carrying out initial investigations.

Thanks again.

Andy

Re: DNS error affecting CP updates

mdjmcnally — Wed, 04 Dec 2019 16:45:21 GMT

Not a problem, I was just looking for an SK that I knew existed and was struggling to find it. Sometimes the SK searching can be "interesting" as don't always get back what looking for.

Re: DNS error affecting CP updates

Maarten_Sjouw — Wed, 04 Dec 2019 18:09:10 GMT

Another way to deal with this issue is to create 2 no-NAT rules, as your standby gateway traffic is hidden behind the cluster IP, when you add a rule that says when traffic is originating from the gateway (add a rule for each cluster member) to any, use original (as long as you objects have the external IP on them, otherwise create 2 objects with the Internet IP's and use those objects in the no-NAT rules).