This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gemechis
Explorer
‎2025-01-22 11:58 PM

Checkpoint Security Gateway

We have deployed checkpoint maestro in our environment.  2 MHO-140's and 2 Security Gateways. 

The security gateway's were sharing a load with 50%, 50%. But last week when I checked the gateway status using asg monitor, it shows on of the gateways Down. One Active. We tried to troubleshoot, we removed the gateway from Maestro and tried to add it again, but after we removed it we could not get it on the maestro, as it is not there under unassigned gateways. All the DAC cables were connected to Maestro & SG and functioning well. 

Any help on this is appreciated. 


ASG MONITOR.png
Preview file
18 KB
0 Kudos
17 Replies
AkosBakos
Mentor Mentor
Mentor
‎2025-01-23 12:44 AM

Hi @gemechis 

Maybe basic question, but what is the output of the lldpctl? 

  • have you tried to FCD the affected appliance (I know, you are remote, but maybe LOM is installed on the SGM) and then put the into the SG again?
  • what is the lldpclt output?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-01-23 01:35 AM
In response to AkosBakos

@AkosBakos 

The output for lldpctl is attahched here with. It shows only the other Maestro on downlink port 48, and the Activve Gateway on port 31.

LLDCTL.png
Preview file
57 KB
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-01-23 01:50 AM
In response to gemechis

Hi,

Maybe a dummy thing, have you tried to plug and unplug the DAC?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-01-23 02:55 AM
In response to AkosBakos

@AkosBakos 

Yes, even we have tried  by changing a new DAC cable. But it didn't workout. 

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-01-23 03:54 AM
In response to gemechis

Hi @gemechis 

We can't see the appliance in the #lldpctl. Do you see the same on both MHO?

Can you share the outputs of the MHO:

  • orch_stat -a
  • lldpctl

Can you reach the appliamce via LOM?

I had issues with with interface card. Tha solution was the RMA of card.

That is 100% sure the appliance up and running?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-02 10:41 PM
In response to AkosBakos

Hello @AkosBakos 

Sorry for the late reply.
I have done both commands on both MHO's. On both MHO's gateway's are plugged on port 31 & 32. port 48 is a sync port for MHO's. Find the output of both MHO's orch_stat -a and lldpctl. 

The device up and running. We are 100% sure. 

We haven't tried the LOM Port. How does it work? Is it different from console one.


ORCH_STAT_1.png
Preview file
13 KB
ORCH_STAT_2.png
Preview file
7 KB
MHO-1-ORCH_STAT_2.png
Preview file
51 KB
MHO-12-ORCH_STAT_1.png
Preview file
51 KB
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-02-03 12:22 AM
In response to gemechis

Hi,

Maybe a dummy question: Because you removed from the Security Group -> this caues an FCD -> Maybe the version of SGM not reverted to R81.10?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-03 12:40 AM
In response to AkosBakos

@AkosBakosyes we have removed it from the group on MHO. then now we can not able to  discover it.

Does it needs to be reverted to 81.10

 

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-02-03 12:43 AM
In response to gemechis

Hi @gemechis 

Summerize it:

  • The MHOs: R81.20
  • The SGM in the working SG: R81.20
  • what version has the failing member?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-03 12:48 AM
In response to AkosBakos

@AkosBakos 

Yes you right.

The failing member also has the same version R81.201

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-02-03 12:52 AM
In response to gemechis

And one more "dummy" question. When you reimaged the SGM, did you use the correct .iso?

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-03 03:01 AM
In response to AkosBakos

@AkosBakos Both MHO's and Both Security Gateways are reimaged during our migration to Maestro on April.

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-02-03 03:03 AM
In response to gemechis

Now I run out of ideas. Have you open a ticket by TAC already?

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-03 10:43 PM
In response to AkosBakos

@AkosBakos 

Thanks for all the ideas. Now i will open a TAC ticket.

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-02-03 11:26 PM
In response to gemechis

Hi,

Please Keep us updated.

akos

----------------
\m/_(>_<)_\m/
0 Kudos
gemechis
Explorer
‎2025-02-17 11:05 PM
In response to AkosBakos

@AkosBakos 

Hope you are well. This issue has been solved after doing aa reboot of the faulty gateway. Then we have moved it to the security group and now everything is working well.

Thanks for the support.

0 Kudos
gemechis
Explorer
‎2025-02-17 11:04 PM
In response to AkosBakos

@AkosBakos 

Hope you are well. This issue has been solved after doing aa reboot of the faulty gateway. Then we have moved it to the security group and now everything is working well.

Thanks for the support.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top