cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ruan_Kotze
Nickel

Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

Good day,

I have recently completed an upgrade from R80.10 to R80.30 (Management + 2 gateways in HA cluster).  The upgrade itself was successful but I have noticed one issue on the standby gateway.  We cannot ping or do NSlookups etc from the standby node.  License checks also fails on this node.

What I have attempted thus far:

  1. Set the "fw ctl set int fwha_forw_packet_to_not_active 1" on both gateways
  2. Followed the guidance in sk147093 (fw ctl zdebug output matched that in the SK, as per below, IP sanitised)

121670435;[cpu_1];[SIM-207375815];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x10, cdir=0) -> dropping packet, conn: [<1.1.1.1,2022,2.2.2.2,88,6>][PPK0];
@;121670435;[cpu_1];[SIM-207375815];sim_pkt_send_drop_notification: (0,0) received drop, reason: general reason, conn:

It is important to note that all connectivity is restored when I do a fw unloadlocal.  There has also been no changes to either NAT or firewall policies.

I've found a couple of posts on Checkmates describing similiar issue, but unfortunately no resolution apart from the steps above.

I will also log a TAC case, but hoping to hear if anyone has experienced similiar issues after an upgrade?

Thanks,

Ruan

 

0 Kudos
1 Solution

Accepted Solutions
Ruan_Kotze
Nickel

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

Hi Everyone,

We worked with TAC and manage to resolve the issue.  In the end we had to follow step 4 in sk43807.  All updates etc are working and all warnings in Smartconsole have been cleared.

Cheers,

Ruan

View solution in original post

0 Kudos
7 Replies
Highlighted

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution
All R80.30 gateway clusters we run are using VRRP and I can set this NAT function on the cluster object and still do not understand why this option is not available for ClusterXL.
I really don't.
Regards, Maarten
0 Kudos

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

Looks like sk147493 - seems no R80.30 Jumbo has this fix yet...

0 Kudos
Ruan_Kotze
Nickel

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution
I understood from TAC that there is a hotfix available, but they prefer not to deploy as it might be overwritten by the next Jumbo, causing behaviour regression.
0 Kudos
Ruan_Kotze
Nickel

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

I have opened a case with TAC.  They seemed surprised that the kernel parameter did not fix the issue, I will update this thread once we have a resolution.

0 Kudos

Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

What i do wonder is why this is regarded as an issue ? Usually, i do not issue ping nor nslookup from the CLI of standby cluster members - or is there a very good reason for that ?

0 Kudos

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution
The nslookup prevents that the gateway has access to the Check Point cloud, so when there is a failover, many things need to get their updates at that moment...
Meaning there is no updated URL/APCL database, IPS (when set to the gateway gets it by itself), Dynamic objects will fail during the first minute.
Also Cpuse will not be able to show you the list of available downloads, so when you want to update the cluster with the latest Jumbo, you need to make the member master first wait for it to get the update list etc etc.
Regards, Maarten
0 Kudos
Ruan_Kotze
Nickel

Re: Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Jump to solution

Hi Everyone,

We worked with TAC and manage to resolve the issue.  In the end we had to follow step 4 in sk43807.  All updates etc are working and all warnings in Smartconsole have been cleared.

Cheers,

Ruan

View solution in original post

0 Kudos