This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nelson_Thoms
Participant
‎2019-11-19 06:38 PM

R80.30 upgrade of 5000 series appliance - network drop when using SFP interfaces

Hello,

We have a pair of 5200-HPP firewalls in a cluster, running R80.20.  We use the SFP interfaces to connect to a layer 2 switch (Cisco).  When we upgrade the firewalls to R80.30, the fiber/SFP interfaces drop and the switch says the ports are not operational.  When we roll the firmware back to R80.20, the ports become operational and traffic passes.  I think this issue is specific to the SFP ports on the Check Point firewall, since if I move the network configuration to the copper ports on the firewall, network operation resumes.  Of course we have valid Check Point branded SFPs on the firewall side, and swapping out transceivers or using different OM4 cable does not make a difference.

Any one else run into issues with the SFP ports on Check Point 5000-series firewalls following an upgrade to R80.30?  I've tried raising the issue with the vendor and they are not providing troubleshooting assistance, even though we can consistently demonstrate that a rollback of the firewalls to R80.20 makes the issue go away, and as soon as we complete the upgrade to R80.30 the SFP ports go down.

Cheers, hope someone out there has ideas on how to troubleshoot this!

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-11-19 07:00 PM

Run the following commands on the Cisco for that port:

no lldp transmit

no lldp receive

and if that doesn't solve it, try this command on the Cisco:

service unsupported-transceiver

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Nelson_Thoms
Participant
‎2019-11-19 07:49 PM
In response to Timothy_Hall

Thanks Timothy, I just gave that a try - the lldp setting was on by default, so I've flicked it to disabled for transmit/receive and bounced the ports.  No difference, other end points in the VLAN appear with learned MACs, but not the firewalls.

'service unsupported-transceiver' does not seem to be a command supported in our environment (Cisco ACI), but I've gone ahead and validated the transceivers loaded on the switch side and they are supported/compatible.

0 Kudos
Nelson_Thoms
Participant
‎2019-11-21 01:59 PM

Good news - We got the fiber interface to come up after manually setting the switchport to not negotiate and manually set as 1GB.  I don't have an explanation as to why the issue only occurs following the upgrade, but with the workaround in place we can keep moving forward with upgrading our fleet

PhoneBoy
Admin
Admin
‎2019-11-24 05:57 PM
In response to Nelson_Thoms

It's possibly a different version of the driver in R80.30.
Recommend engaging with the TAC on this.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top