Re: Checkpoint Security Gateway

gemechis

We have deployed checkpoint maestro in our environment. 2 MHO-140's and 2 Security Gateways.

The security gateway's were sharing a load with 50%, 50%. But last week when I checked the gateway status using asg monitor, it shows on of the gateways Down. One Active. We tried to troubleshoot, we removed the gateway from Maestro and tried to add it again, but after we removed it we could not get it on the maestro, as it is not there under unassigned gateways. All the DAC cables were connected to Maestro & SG and functioning well.

Any help on this is appreciated.

AkosBakos

Hi @gemechis

Maybe basic question, but what is the output of the lldpctl?

have you tried to FCD the affected appliance (I know, you are remote, but maybe LOM is installed on the SGM) and then put the into the SG again?
what is the lldpclt output?

Akos

----------------
\m/_(>_<)_\m/

gemechis

@AkosBakos

The output for lldpctl is attahched here with. It shows only the other Maestro on downlink port 48, and the Activve Gateway on port 31.

AkosBakos

Hi,

Maybe a dummy thing, have you tried to plug and unplug the DAC?

Akos

----------------
\m/_(>_<)_\m/

gemechis

@AkosBakos

Yes, even we have tried by changing a new DAC cable. But it didn't workout.

AkosBakos

Hi @gemechis

We can't see the appliance in the #lldpctl. Do you see the same on both MHO?

Can you share the outputs of the MHO:

orch_stat -a
lldpctl

Can you reach the appliamce via LOM?

I had issues with with interface card. Tha solution was the RMA of card.

That is 100% sure the appliance up and running?

Akos

----------------
\m/_(>_<)_\m/

gemechis

Hello @AkosBakos

Sorry for the late reply.
I have done both commands on both MHO's. On both MHO's gateway's are plugged on port 31 & 32. port 48 is a sync port for MHO's. Find the output of both MHO's orch_stat -a and lldpctl.

The device up and running. We are 100% sure.

We haven't tried the LOM Port. How does it work? Is it different from console one.

AkosBakos

Hi,

Maybe a dummy question: Because you removed from the Security Group -> this caues an FCD -> Maybe the version of SGM not reverted to R81.10?

Akos

----------------
\m/_(>_<)_\m/

gemechis

@AkosBakosyes we have removed it from the group on MHO. then now we can not able to discover it.

Does it needs to be reverted to 81.10

AkosBakos

Hi @gemechis

Summerize it:

The MHOs: R81.20
The SGM in the working SG: R81.20
what version has the failing member?

Akos

----------------
\m/_(>_<)_\m/

gemechis

@AkosBakos

Yes you right.

The failing member also has the same version R81.201

AkosBakos

And one more "dummy" question. When you reimaged the SGM, did you use the correct .iso?

----------------
\m/_(>_<)_\m/

gemechis

@AkosBakos Both MHO's and Both Security Gateways are reimaged during our migration to Maestro on April.

AkosBakos

Now I run out of ideas. Have you open a ticket by TAC already?

----------------
\m/_(>_<)_\m/

Are you a member of CheckMates?

Checkpoint Security Gateway