Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Etheldra_Freder
Collaborator

JHF 317 breaking sync connection and not coming back up

Has anyone started installing JHF317 and resulting it breaking the cluster where one of the firewalls do not come back up? It seems that it is breaking the sync connection. Please let me know if you have experienced this and what you did to remediate it.

19 Replies
_Val_
Admin
Admin

Hi Etheldra, could you please elaborate on "do not come back" and "breaking sync"? Thanks

Etheldra_Freder
Collaborator

Hi. When i say it does not come back up. I meant that it goes in a "down state"(active attention/down) not come back to active/standby state. I have rebooted/pushes policy/ reconfigured SIC to a different interface and nothing works  in this particular scenario.

In another instance of the JHF, when I did "cphaprob stat" the response was "HA MODULE NOT STARTED". I had to reset SIC, then pushed policy, which then resolved the issue. 

Is is there a compatibility  issue with JHF 317 and open server that runs Gaia 77.30?

Roman_Kats
Employee
Employee

Hi Etheldra,

Can you answer on several questions:

1) What was the previous JHF installed?

2) What type of open servers do you use?

3) What kind of cluster configuration do you use? Cluster HA or LS?

4) If it is HA mode, do you use Primary UP configuration?

5) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both?

Thank you in advance,

Roman

Zach_Rack
Contributor

Thats exactly what happened to us, and we had to roll it back to the previous JHF.

Sounds like it’s a common issue with this particular JHF.

Etheldra_Freder
Collaborator

Zack was this on an open server M3 or CP server/firewall?

Zach_Rack
Contributor

It was on CP-4600

Pruthvi_Gandhi
Explorer

Hi Zack, I also installed JHF 317 on CP 4600 cluster last week, initially the cluster got broke and "cphaprob state" responded HA module not started, but when I checked properly, SIC was not established using SYNC interface, I had used a temporary interface(as it was a new installation) for establishing SIC and I gave it as 'Non-Monitored Private".

Once I had those temporary interfaces as the 1st SYNC, the cluster was formed and everything was perfect after policy installation. Thanks.

Roman_Kats
Employee
Employee

Hi Guys,

Can you answer on several questions:

1) What was the previous JHF installed on your machines?

2) What kind of cluster configuration do you use? Cluster HA or LS?

3) If it is HA mode, do you use Primary UP configuration?

4) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both?

 

Thank you in advance,

Roman

Etheldra_Freder
Collaborator

Hi Guys,

Can you answer on several questions:

1) What was the previous JHF installed on your machines? JHF225

2) What kind of cluster configuration do you use? Cluster HA or LS?HA

3) If it is HA mode, do you use Primary UP configuration? I am not sure what that means Roman. We have our FW cluster in Active/Standby state. I hope this helps with what you are asking.

4) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both?

One of the firewalls got upgraded, the one that got upgraded was the one that did not come back up and is currently down. The one that did not get the upgrade worked fine.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Roman_Kats
Employee
Employee

Etheldra,

Thanks for your answers!

Will you be able to open SR for the issue described above?

Best Regards,

Roman

Etheldra_Freder
Collaborator

You are welcome. I have one opened already.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Petr_Hantak
Advisor
Advisor

Have you got any news regarding SR already? I'm plan to deploy this version on some production clusters soon and I wonder if would be better wait a while...

Etheldra_Freder
Collaborator

The issue still exists. I have troubleshooting call with CP today.

It seems the issues is occurring with open servers. I am going to work with CP for those.

However, with the CP servers, we have experienced SIC being disabled or the FW will not come back up to an active/standby state.

Over all we have had success with the CP 4400s with a few of the firewalls having the SIC lost issue.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

KennyManrique
Advisor

Hi Etheldra

The issue is with SIC or SYNC? I am a little confused right now.

For SYNC, this comment I made a few days ago, happened to me in Open Servers only (even with R80.10).

Kenny Manrique wrote:

One behavior I noticed when installed the newests JHF (this happened to me more than once) on cluster environments is SYNC interface goes to "No Link" state (red icon) on one of the members after the installation reboot (or even both) despite is all connected at physical level and the interface is in on state.

 

The workaround was simple: shutdown sync interface from cli or web for both members and enable it again. After this SYNC works OK.

 


Regards.

Etheldra_Freder
Collaborator

The issue is with SIC(that connects both FW and in some sense works as a sync between the firewall pair).

Per Kenny’s statement I have experienced that too.

We tried that but it did not work. We even tried to create a new sync port and did nt work.

The clocks were off. We set it and pushed policy and are testing that now. I will send an update when we are finished.

Etheldra N Frederick-Radde (Freddie)

Analyst II - Info Sec Response | Macy's, Inc.

5985 State Bridge Road | Johns Creek, GA 30097

Office: 678-474-3122

Mobile: 678-471-0125

Etheldra_Freder
Collaborator

Update. I apologize it took so long. We were unable to find a resolution for why JF 317 broke SIC. The only thing that seemed different was that it was done on a open source server and not on CP hardware. We essentially replaced the hardware to CP and all is well now with JHF 317. 

Roman_Kats
Employee
Employee

Hello Etheldra,

Could you share the SR number, you've opened

Thanks in advance 

Roman

Pruthvi_Gandhi
Explorer

1) What was the previous JHF installed on your machines?  Fresh Install so R77.30 take 3

2) What kind of cluster configuration do you use?  HA

3) If it is HA mode, do you use Primary UP configuration? Active/Standby

4) If both members were upgraded or the issue happened after upgrading the first one only and then the issue happened or it happened after upgrading both? Both gateways were upgraded before the issue.

KennyManrique
Advisor

One behavior I noticed when installed the newests JHF (this happened to me more than once) on cluster environments is SYNC interface goes to "No Link" state (red icon) on one of the members after the installation reboot (or even both) despite is all connected at physical level and the interface is in on state.

The workaround was simple: shutdown sync interface from cli or web for both members and enable it again. After this SYNC works OK.


Regards.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events