Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nelson_Thoms
Participant

R80.30 upgrade of 5000 series appliance - network drop when using SFP interfaces

Hello,

We have a pair of 5200-HPP firewalls in a cluster, running R80.20.  We use the SFP interfaces to connect to a layer 2 switch (Cisco).  When we upgrade the firewalls to R80.30, the fiber/SFP interfaces drop and the switch says the ports are not operational.  When we roll the firmware back to R80.20, the ports become operational and traffic passes.  I think this issue is specific to the SFP ports on the Check Point firewall, since if I move the network configuration to the copper ports on the firewall, network operation resumes.  Of course we have valid Check Point branded SFPs on the firewall side, and swapping out transceivers or using different OM4 cable does not make a difference.

Any one else run into issues with the SFP ports on Check Point 5000-series firewalls following an upgrade to R80.30?  I've tried raising the issue with the vendor and they are not providing troubleshooting assistance, even though we can consistently demonstrate that a rollback of the firewalls to R80.20 makes the issue go away, and as soon as we complete the upgrade to R80.30 the SFP ports go down.

Cheers, hope someone out there has ideas on how to troubleshoot this!

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend

Run the following commands on the Cisco for that port:

no lldp transmit

no lldp receive

and if that doesn't solve it, try this command on the Cisco:

service unsupported-transceiver

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Nelson_Thoms
Participant

Thanks Timothy, I just gave that a try - the lldp setting was on by default, so I've flicked it to disabled for transmit/receive and bounced the ports.  No difference, other end points in the VLAN appear with learned MACs, but not the firewalls.

'service unsupported-transceiver' does not seem to be a command supported in our environment (Cisco ACI), but I've gone ahead and validated the transceivers loaded on the switch side and they are supported/compatible.

0 Kudos
Nelson_Thoms
Participant

Good news - We got the fiber interface to come up after manually setting the switchport to not negotiate and manually set as 1GB.  I don't have an explanation as to why the issue only occurs following the upgrade, but with the workaround in place we can keep moving forward with upgrading our fleet

PhoneBoy
Admin
Admin

It's possibly a different version of the driver in R80.30.
Recommend engaging with the TAC on this.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events