This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jose_Luis_Mart1
Explorer
‎2024-06-05 07:57 AM

Full HA cluster with MGMT sync not working

Hi!

 

I've recently installed a Full HA Cluster configuration in R81.10. Everything went well with the primary, installation, wizard, configuration of the policy...

Then I installed the secondary, wizard selecting Secondary MGMT and ClusterXL, and initial SIC password. Then SIC completed on the FW object, policy installation...

 

And everything OK on the gateway part. Cluster is working, connections synchronized, etc...

But on the MGMT part, the sync is not working. When you try to do a full sync the primary says it can't contact with its peer.

And checking on Monitor, the Secondary complains that the Security Management CA is not running.

And if you do a cpstat mg, on the part of Internal CA status you get a "?"

Licenses are OK, and as I said I did nothing special during the installation (because it really doesn't give you choices where to fail).

 

Any ideas?

 

Thanks

 

0 Kudos
16 Replies
the_rock
Legend
Legend
‎2024-06-05 07:58 AM

Did you try reboot?

Andy

0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 07:59 AM
In response to the_rock

Hi!

 

Of course! 🙂 First a cpstop / cpstart and then a reboot after it didn't change anything

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 08:00 AM
In response to Jose_Luis_Mart1

Fair enough. Can you send screenshot of the error?

0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 08:06 AM
In response to the_rock

Hi again

You get this error

 

And then on Monitor

Preview file
14 KB
Preview file
12 KB
0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 08:54 AM
In response to the_rock

Hi!

 

Checked this posts. About the first ones, both machines are using NTP and have the same time. About the second one, the first two checks ok, ports up, but

 

ps -aux | grep solr-solrj > check if the CPM service is running --> there's no CPM process

 

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 08:56 AM
In response to Jose_Luis_Mart1

What does api status show?

0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 09:04 AM
In response to the_rock

[Expert@FW-IRL-2:0]# api status

API Settings:
---------------------
Accessibility: Require local
Automatic Start: Disabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 21881
CPM Started 21881 Check Point Security Management Server is running and ready
FWM Started 22568
APACHE Started 11789

Port Details:
-------------------
JETTY Internal Port: 54286
JETTY Documentation Internal Port: 57453
APACHE Gaia Port: 443

Profile:
-------------------
Machine profile: Small Medium env resources profile
CPM heap size: 1280m

Apache port retrieved from: dbget http:ssl_port


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

 

Correction about the last post, there's indeed CPM process, what fails is what the post suggests, ps -aux | grep solr-solrj  shows no results

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 09:06 AM
In response to Jose_Luis_Mart1

What does below show?

$FWDIR/scripts/./cpm_status.sh

0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 09:09 AM
In response to the_rock

[Expert@FW-IRL-2:0]# ./cpm_status.sh
Check Point Security Management Server is running and ready

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 09:19 AM
In response to Jose_Luis_Mart1

Can you try log into that member and see if it syncs?

0 Kudos
the_rock
Legend
Legend
‎2024-06-05 05:31 PM
In response to the_rock

@Jose_Luis_Mart1 Did you try log into smart console on fw2?

Andy

0 Kudos
Jose_Luis_Mart1
Explorer
‎2024-06-05 11:53 PM
In response to the_rock

No, you can't log into FW2 with Smartconsole

0 Kudos
Hugo_vd_Kooij
Advisor
‎2024-06-06 02:13 AM

To be honest. That is a setup that has a number of limitations and issues that you don't want to find out the hard way.

So SmartCenter always goes on seperate system and not on the gateway in a cluster setup.

Not sure why you have choosen for this setup as it is a pain.

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
the_rock
Legend
Legend
‎2024-06-06 04:00 AM
In response to Hugo_vd_Kooij

I will never forget what customer told me ages ago about full HA "When it works, its heaven, but when it breaks, its a true nightmare"

But then I guess then can be said for most things lol

Anyway, @Hugo_vd_Kooij , I totally get what you are saying.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events