Hi. When i say it does not come back up. I meant that it goes in a "down state"(active attention/down) not come back to active/standby state. I have rebooted/pushes policy/ reconfigured SIC to a different interface and nothing works  in this particular scenario.

In another instance of the JHF, when I did "cphaprob stat" the response was "HA MODULE NOT STARTED". I had to reset SIC, then pushed policy, which then resolved the issue. 

Is is there a compatibility  issue with JHF 317 and open server that runs Gaia 77.30?

Hi Etheldra,

Can you answer on several questions:

1) What was the previous JHF installed?

2) What type of open servers do you use?

3) What kind of cluster configuration do you use? Cluster HA or LS?

4) If it is HA mode, do you use Primary UP configuration?

5) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both?

Thank you in advance,

Roman

Zack was this on an open server M3 or CP server/firewall?

It was on CP-4600

Hi Zack, I also installed JHF 317 on CP 4600 cluster last week, initially the cluster got broke and "cphaprob state" responded HA module not started, but when I checked properly, SIC was not established using SYNC interface, I had used a temporary interface(as it was a new installation) for establishing SIC and I gave it as 'Non-Monitored Private".

Once I had those temporary interfaces as the 1st SYNC, the cluster was formed and everything was perfect after policy installation. Thanks.

Hi Guys,

Can you answer on several questions:

1) What was the previous JHF installed on your machines? JHF225

2) What kind of cluster configuration do you use? Cluster HA or LS?HA

3) If it is HA mode, do you use Primary UP configuration? I am not sure what that means Roman. We have our FW cluster in Active/Standby state. I hope this helps with what you are asking.

4) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both?

One of the firewalls got upgraded, the one that got upgraded was the one that did not come back up and is currently down. The one that did not get the upgrade worked fine.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Etheldra,

Thanks for your answers!

Will you be able to open SR for the issue described above?

Best Regards,

Roman

You are welcome. I have one opened already.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Have you got any news regarding SR already? I'm plan to deploy this version on some production clusters soon and I wonder if would be better wait a while...

The issue still exists. I have troubleshooting call with CP today.

It seems the issues is occurring with open servers. I am going to work with CP for those.

However, with the CP servers, we have experienced SIC being disabled or the FW will not come back up to an active/standby state.

Over all we have had success with the CP 4400s with a few of the firewalls having the SIC lost issue.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Hi Etheldra

The issue is with SIC or SYNC? I am a little confused right now.

For SYNC, this comment I made a few days ago, happened to me in Open Servers only (even with R80.10).

Kenny Manrique wrote:

One behavior I noticed when installed the newests JHF (this happened to me more than once) on cluster environments is SYNC interface goes to "No Link" state (red icon) on one of the members after the installation reboot (or even both) despite is all connected at physical level and the interface is in on state.

 

The workaround was simple: shutdown sync interface from cli or web for both members and enable it again. After this SYNC works OK.

 

Regards.

The issue is with SIC(that connects both FW and in some sense works as a sync between the firewall pair).

Per Kenny’s statement I have experienced that too.

We tried that but it did not work. We even tried to create a new sync port and did nt work.

The clocks were off. We set it and pushed policy and are testing that now. I will send an update when we are finished.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Update. I apologize it took so long. We were unable to find a resolution for why JF 317 broke SIC. The only thing that seemed different was that it was done on a open source server and not on CP hardware. We essentially replaced the hardware to CP and all is well now with JHF 317. 

Hello Etheldra,

Could you share the SR number, you've opened

Thanks in advance 

Roman

1) What was the previous JHF installed on your machines?  Fresh Install so R77.30 take 3

2) What kind of cluster configuration do you use?  HA

3) If it is HA mode, do you use Primary UP configuration? Active/Standby

4) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both? Both gateways were upgraded before the issue.