Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckMate-R77
Contributor
Jump to solution

ClusterXL R80.10 to R80.30 upgrade not possible

Security Gateway R80.10 take 479 (kernel: 2.6.18-92cpx86_64) in ClusterXL HA configuration installed on two Proliant DL380 G9 servers - which are supported according to CheckPoint HCL.

I'm trying to update to version R80.30 take 200 with Check_Point_R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz

After importing this tgz package with CPUSE I get following message:

The following results are not compatible with the package:

- /opt/DDR/bin/../Definitions/DDR_Scripts/DDR_shared_functions: line 19: export: `/etc/appliance_config.xml:1:=/etc/appliance_config.xml:1:': not a valid identifier
/opt/DDR/bin/../Definitions/DDR_Scripts/DDR_shared_functions: line 19: export: `:=:': not a valid identifier
Machine's appliance type is , machine's series name is
/bin/bash: line 2: ^: command not found
/bin/bash: line 3: /etc/appliance_config.xml:1:: No such file or directory
/bin/bash: line 5: ^: command not found

The R80.30 image you imported is not supported on:
- Cloud environment (Microsoft Azure, Google Cloud, Amazon Web Service and Aliyun)
- xfs file system
The image is not allowed on the following appliances:
- Smart-1 205
- Smart-1 25b
- Smart-1 210
- Smart-1 225
- Smart-1 405
- Smart-1 410
- Smart-1 525
- Smart-1 625
- Smart-1 50
- Smart-1 150
- Smart-1 3050
- Smart-1 3150
- Smart-1 5050
- Smart-1 5150
- Check Point 16000THS
- Check Point 26000THS
- Check Point 3600
- Check Point 3600T
- Check Point 6200B
- Check Point 6200P
- Check Point 6200T
- Check Point 6600
- Check Point 6600T
- Check Point 6900
- Check Point 6900T
For more information contact Check Point support.

And verifier says:

Check install failed - Installation of Check_Point_R80.30_Gaia_3.10_T300_Fresh_Install_and_Upgrade.tgz is not allowed (Reason: Verifier results
Package: Check_Point_R80.30_Gaia_3.10_T300_Fresh_Install_and_Upgrade.tgz

Clean Install:
Installation is allowed.

Upgrade:
The following results are not compatible with the package:
- Branch hugo1 is installed from take 479
- Machine has the following System Manufacturer: HP
- Machine has the following system product name: ProLiant DL380 Gen9

This version is only supported on:
- Lenovo ThinkSystem SR650
- Cisco Systems Inc UCSC-C240-M5S
- Cisco Systems Inc UCSC-C240-M5SX
- Cisco Systems Inc C220 M5
- FUJITSU PRIMERGY RX2540 M4
- FUJITSU PRIMERGY RX2540 M5
- HPE/HP ProLiant DL360 Gen9
- HPE/HP ProLiant DL380 Gen9
- HPE/HP ProLiant DL360 Gen10
- HPE/HP ProLiant DL380 Gen10
- Dell PowerEdge R630
- Dell PowerEdge R640
- Dell PowerEdge R740xd and R740
- Dell PowerEdge R730
- Check Point 23800 appliance
- Check Point 23900 appliance
- Check Point 16000
- Check Point 16000T
- Check Point 26000
- Check Point 26000T appliances

- This version can be installed only on Check Point R80.20 with Linux kernel 3.10 for cloud Take 5 or above
- This version requires 64Bit CPU
- This version is not supported on ClusterXL in Load Sharing mode with IPSec VPN blade enabled (this limitation does not apply to VSX in VSLS mode).
)

Why only clean istall is possible? Why upgrade with connectivity upgrade method is not possible?
What means this strange event log? It discovers HP ProLiant DL380 Gen9 as not compatible and few lines below it says it is supported.

 

Thanks in advance,

Mirek

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion



The direct update from kernel 2.6 to 3.10 is unfortunately not possible. Fresh install the gateways with R80.30 kernel 3.10.

I would proceed as follows on both gateways:

1) Create a snapshot via clish

> add snapshot 8010   
> set snapshot export R8010 path /var/log name R8010

2) Download the snapshot via winscp (/var/log/R8010)

3) Export the GAIA config via clish

> save configuration gwconfig.txt

4) Download the config via winscp to your PC

5) Install an new R80.30  gateway with 3.10 kernel

6) Install the latest R80.30 JHF (sk153152)

7) Upload the gwconfig.txt file to the new gateway

8.) Import the config

> set clienv on-failure continue  

> load configuration config.txt

> set clienv on-failure stop

> save config

9) Reboot the gateway

10) Creat a new SIC with the gateway via SmartConsole and cpconfig

11) Install the license via SmartConsole

12) You may have to backup and restore some of the usual files on the gateways:

$FWDIR/boot/modules/fwkern.conf  -> Firewall stettings
$FWDIR/conf/discntd.if                        -> Disconnected interfaces
$FWDIR/conf/trac_client_1.ttm          -> SecureClient settings

13) Change the version from R80.10 to R80.30 and install the policy

>>> Perform the same steps on the second gateway.

14) Check with cpconfig the CoreXL settings on both gateways. The same core number should be set here.

That should be it:-)

 

 

 

➜ CCSM Elite, CCME, CCTE

View solution in original post

14 Replies
G_W_Albrecht
Legend
Legend

I would ask TAC to provide a helping hand here - apart from installing the newest CPUSE version, i can not suggest anything...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Vincent_Bacher
Advisor
Advisor

Don't know if i misunderstand your issue or the installation versions of R80.30 or both.
When looking at the download section of R80.30 i see at R80.30 Fresh Install and Upgrade for Security Gateway and Standalone no Open Server listed in Model section.

When looking at Check Point R80.30 with Gaia 3.10  sk152652, Open Server is listed and there's a download link for cpuse upgrade.  What's about this?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
CheckMate-R77
Contributor

Document "ClusterXL upgrade methods and paths" (sk107042) shows that R80.10 can be upgraded to R80.20 or R80.30 with OSU or CU methods. The same is for "Connectivity Upgrade R77.x and R80.x Versions Best Practices"

There is howewer the note:
CU upgrade to R80.30 with kernel 3.10 is not supported.

But I'm trying to upgrade to "normal" R80.30 (and not with kernel 3.10 which requires different package).

There is no any note which states that it doesn't apply to open servers or something like this.

In "Installation and Upgrade Guide R80.30" there is no such information either.

0 Kudos
CheckMate-R77
Contributor

You mean that OSU or CU methods for open servers ends on R80.10 and if I would like to upgrade to R80.20 or R80.30 I need to apply OSU (which also seems impossible) or fresh install?

0 Kudos
PhoneBoy
Admin
Admin
The error messages you copy/pasted seem to show you are trying to upgrade to the R80.30-3.10 variant, which is definitely not supported.
The R80.20-3.10 and R80.30-3.10 variants only support installation via fresh install.

Assuming you get this errors importing the correct tgz, I recommend a TAC case.
0 Kudos
AlekseiShelepov
Advisor

Could you check which CPUSE version you have and update it to the latest first, if required?

0 Kudos
Daniel_Schlifka
Contributor

Security Gateway R80.10 take 479 (kernel: 2.6.18-92cpx86_64) in ClusterXL HA configuration installed on two Proliant DL380 G9 servers - which are supported according to CheckPoint HCL.

I'm trying to update to version R80.30 take 200 with Check_Point_R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz

- This version can be installed only on Check Point R80.20 with Linux kernel 3.10 for cloud Take 5 or above

So update to r80.20, then start over again.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion



The direct update from kernel 2.6 to 3.10 is unfortunately not possible. Fresh install the gateways with R80.30 kernel 3.10.

I would proceed as follows on both gateways:

1) Create a snapshot via clish

> add snapshot 8010   
> set snapshot export R8010 path /var/log name R8010

2) Download the snapshot via winscp (/var/log/R8010)

3) Export the GAIA config via clish

> save configuration gwconfig.txt

4) Download the config via winscp to your PC

5) Install an new R80.30  gateway with 3.10 kernel

6) Install the latest R80.30 JHF (sk153152)

7) Upload the gwconfig.txt file to the new gateway

8.) Import the config

> set clienv on-failure continue  

> load configuration config.txt

> set clienv on-failure stop

> save config

9) Reboot the gateway

10) Creat a new SIC with the gateway via SmartConsole and cpconfig

11) Install the license via SmartConsole

12) You may have to backup and restore some of the usual files on the gateways:

$FWDIR/boot/modules/fwkern.conf  -> Firewall stettings
$FWDIR/conf/discntd.if                        -> Disconnected interfaces
$FWDIR/conf/trac_client_1.ttm          -> SecureClient settings

13) Change the version from R80.10 to R80.30 and install the policy

>>> Perform the same steps on the second gateway.

14) Check with cpconfig the CoreXL settings on both gateways. The same core number should be set here.

That should be it:-)

 

 

 

➜ CCSM Elite, CCME, CCTE
CheckMate-R77
Contributor

To be clear, currently we have:

> show version all
Product version Check Point Gaia R80.10
OS build 479
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

And CPUSE Deployment Agent build: 1865 (Release date: 16 February 2020)

I know that R80.30 Gaia 3.10 release requires a dedicated image (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) and supports open servers (also ours HPE ProLiant DL380 Gen9). I'm affraid I will not install Gaia 3.10 (no matter R80.20 or R80.30) because HP Ethernet 10Gb 2-port 560SFP+ adapters are not supported 😞 https://www.checkpoint.com/support-services/hcl/

On the other hand https://www.checkpoint.com/support-services/hcl/ethernet-10gb-2-port-560sfp-adapter/

By the way "clean" R80.30 on HCL table means Gaia with 2.6 kernel, right?

 

Anyway I think I need to do fresh install from Check_Point_R80.30_T200_Security_Gateway.iso https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_d...

I thought it will be possible to upgrade (OSU or CU method) form our current R80.10 to R80.30, but it doesn't work even to R80.20 either. (I'm using .tgz packages on both cases).

 

Thank all of You for precious hints.

0 Kudos
CheckMate-R77
Contributor

Because of HP Ethernet 10Gb 2-port 560SFP+ adapters I need to stay by kernel 2.6 and not install 3.10.

That's why I thought it will be possible to upgrade (OSU or CU method) to R80.30 (eventually R80.20) still kernel 2.6 release,

0 Kudos
CheckMate-R77
Contributor

To Vincent Bacher

 

By the way I also see that on R80.30 Gaia Fresh Install for Security Gateway and Standalone https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_d...no Open Server is listed in Model section either.

However below there is a note

This image can be used for R80.30 Gaia Fresh Install using Legacy CLI on these machines:

  • 2200 Appliances
  • 3000 Appliances
  • 4000 Appliances
  • 5000 Appliances
  • 6000 Appliances
  • 12000 Appliances
  • 13000 Appliances
  • 15000 Appliances
  • 21000 Appliances
  • 23000 Appliances
  • Open Servers
0 Kudos
PhoneBoy
Admin
Admin
The "default" R80.30 for gateways is Linux 2.6 kernel.
Note that the "default" R80.40 is Linux 3.10.
It's probably worth engaging with your local Check Point office to ensure the Ethernet adapters in question get tested for certification.
0 Kudos
CheckMate-R77
Contributor

That's why the next question I would like to ask (or post brand new topic) is why for GAIA 3.10 HP Ethernet 10Gb 2-port 560SFP+ adapters are not supported and 562SFP+ are. Are there such huge technical differences between the two models, or maybe CheckPoint Lab (or something like that) has not tested 560SFP+ yet. In other words, is it possible that in the near future 560SFP+ will be supported or will they be definitively not?

 

P.S.

By the way, right now (at 07:50 GMT+1) https://www.checkpoint.com/support-services/hcl/ doesn't show Network Interface Cards table - strange, isn't it? I have double checked on two different browsers and on two different PC's and it simply does not appears. Open servers are shown (listed) and on the left I can filter them, but NICs are gone :-(.

0 Kudos
_Val_
Admin
Admin

It seems to be a failure on HCL now, reported to the relevant team.

Assuming your info is correct, there are two possibilities for not having a card in the list:

1. Certification is still in the process.

2. That particular card has issues with the driver provided by manufacturer.


Not trying to reflect a blame, but I do recall issues with HP drivers earlier in this century. To get the full answer, we need to recover HCL first and them run enquiry. Please allow me some time to do that.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events