Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

DNS error affecting CP updates

Jump to solution

Hello all.

My second question here.  Hopefully I will supply all the necessary information.

My organisation has a ClusterXL HA pair of 5900 appliances running R80.20 Jumbo HF take 118.  I have noticed on SmartConsole Gateways & Servers that the standby node is showing an error.  Looking at the Device Status of the node, the IPS, Anti-Bot & Anti-Virus blades are displaying 'Error: Update failed. Contract entitlement check failed. Could not reach"updates.checkpoint.com". Check DNS and Proxy configuration on the gateway'. 

I have connected via SSH to both nodes in the cluster and verified that I can ping external and internal endpoints from both nodes.  I entered Expert mode on both nodes and ran dig against a known internal and external domain name.  This was successful on the active node but failed on the problematic standby node with 'connection timed out; no servers could be reached'.

I power cycled the standby node this morning.  I am now seeing Connection Alerts in the SmartConsole log for DNS queries originating from the problematic gateway.  The reason is 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0)'.  We are not using domain objects.

Both HA nodes have identical NAT and policy.

I have reviewed DNS Error Message  but it does not appear relevant.

It may be unrelated, but there is a noticeable delay between entering the username and the password prompt appearing when accessing the problematic node via ssh.

I'm wondering what else I can test before pushing the issue out to TAC.

Thanks,

Andy

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Silver

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is what would work through.   The SK it relates too is more about access to the standby box.

Doesn't happen everytime but this SK has resolved everytime has happened, sometimes the kernel parameter enough other times have to do the Rules to Not Hide Traffic from the box behind the Cluster.

 

View solution in original post

5 Replies
Highlighted
Silver

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is what would work through.   The SK it relates too is more about access to the standby box.

Doesn't happen everytime but this SK has resolved everytime has happened, sometimes the kernel parameter enough other times have to do the Rules to Not Hide Traffic from the box behind the Cluster.

 

View solution in original post

Highlighted
Copper

Another vote for  sk43807.  Had a couple of instances where I had this exact issue, and step 4 of the aforementioned SK resolved it for me each time.

Highlighted

Thanks both.

I followed the SK you referenced and step 4 resolved the issue for me.  Apologies, I didn't find that SK when I was carrying out initial investigations.

Thanks again.

Andy

0 Kudos
Highlighted
Silver

Not a problem, I was just looking for an SK that I knew existed and was struggling to find it.   Sometimes the SK searching can be "interesting" as don't always get back what looking for.

0 Kudos
Highlighted
Another way to deal with this issue is to create 2 no-NAT rules, as your standby gateway traffic is hidden behind the cluster IP, when you add a rule that says when traffic is originating from the gateway (add a rule for each cluster member) to any, use original (as long as you objects have the external IP on them, otherwise create 2 objects with the Internet IP's and use those objects in the no-NAT rules).
Regards, Maarten
0 Kudos