This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mlinko
Contributor
‎2024-02-12 12:28 AM

R81.20 Jumbo upgrade reboots the active member

Dear All,

we have an "special" problem with our 23800 Appliances. When we upgrade the Standby member R81.20 Take 43 the active member reboots during the upgrade and in our case when the active member was "online" it didn't have the policy so we had to reboot it again to be able to get him to run...

The worst case scenario was that the Standby member crashed during the reboot which produced 80GB of crash dump files so when we wanted to revert the snapshot we couldn't because there was no space - the only option was an fresh install of the standby member.

Did anyone had an similar Issue??

KR
Rok

0 Kudos
16 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-02-12 03:58 AM

Could you find the reboots cause ?

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mlinko
Contributor
‎2024-02-13 12:47 AM
In response to G_W_Albrecht

Hi,

CP Support said, that there is an "bug" that sends a package (from an standby member that is beeing updated) to the active which trigers the reboot... They also send us a fix as they did to Perry but we are a bit sceptical... We have firewalls in hospitals and if they reboot during an upgrade that is far from ideal...

We will keep you posted if CP finds something else...

the_rock
Legend
Legend
‎2024-02-13 03:07 AM
In response to Mlinko

Im with you there...I would personally not install any custom fixes, but thats just me.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-12 05:40 AM

That sounds pretty bad. You may want to open support case and have them investigate cause of the crash.

Best,

Andy

Mlinko
Contributor
‎2024-02-13 09:04 PM
In response to the_rock

We did but all we got is the same answer/solution as Perry - so we are a bit sceptical about it... Lets see how long do they need to release an JHF with the fixes...

KR
Rok

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 04:12 AM
In response to Mlinko

Personally, I would wait. Im always honest with people about everything, no matter how good or bad it sounds and I can tell you from my own experience, installing those custom fixes, it NEVER led me to successful maintanance window later on to install regular hotfix, but again, thats just me. I cant speak for anyone else, but I would not install those ever again, been there, done that.

Best,

Andy

0 Kudos
Perry_McGrew
Collaborator
‎2024-02-12 11:56 AM

Yes.   There is a HotFix they sent me:  fw1_wrapper_HOTFIX_R81_20_JHF_T43_962_MAIN_GA_FULL.tar

You have to apply JHF 43 first.  I have not done that as I consider it makes my HA 5800 "unstable".   I want to wait for next JHF so the fix is included, but the engineer stated it may not make it into the next JHF as there was further verifications.   That does not make me feel warm and fuzzy!  I did not get their problem tracking number to check to see if it is fixed in next JHF. 

Until then, we are staying on JHF 38 on the Gateways.  

Perry

the_rock
Legend
Legend
‎2024-02-12 01:24 PM
In response to Perry_McGrew

Yea, I dont get warm and fuzzy feeling about it either. I know in the old days of CP, you would get custom fix on top of jumbo, but personally, I always found that to be nightmare scenario down the road when you would have to install another recommended / latest jumbo for a different issue, so I stopped with that practise while back. Now, I prefer to actually wait intil there is release that included all the issues customer may be having, rather than opting for the custom fix, whatever it might be, unless its super urgent/critical issue.

Just my 2 cents.

Best,

Andy

Perry_McGrew
Collaborator
‎2024-02-13 03:42 AM
In response to the_rock

I've been using CP since 3.0b.  I learned a long time ago to avoid hot fixes whenever possible.   I see that JHF 45 is out, but the 2 fixes don't seem to describe the issue JHF 43 introduced.  JHF 43 had some feature improvements we were interested in.   But I don't want to go through having to go back to TAC to get an updated Hot Fix based on JHF 45.   I will try to get the internal tracking number for the Bug and post it here.  

Perry

the_rock
Legend
Legend
‎2024-02-13 04:01 AM
In response to Perry_McGrew

I hear ya. I dont mind recommended hotfixes, but I would never install custom fix if one was suggested. Been there, done that.

Best,

Andy

Perry_McGrew
Collaborator
‎2024-02-14 05:14 AM
In response to the_rock

I re-opened my TAC case to request the CP tracking number.   So far, the only response has been "...have you installed the Hot Fix we published on the SFTP Server?..." 😖

JHF 45 does not appear to have the fix... in the past, usually have to go back to TAC to have a custome HF recoded to support the the latest JHF.   Just not worth the time & risk to roll back the custom HF to apply JHF 45 and a re-coded HF (if needed) to fix this issue.   I will wait for the official fix in the published JHF.

 

Perry

the_rock
Legend
Legend
‎2024-02-14 05:44 AM
In response to Perry_McGrew

I agree 100%, not worth the time as you said and more importantly, NOT worth a risk. As far as the response you mentioned, its best I dont even comment on it lol

Andy

0 Kudos
Perry_McGrew
Collaborator
‎2024-02-19 12:12 PM
In response to the_rock

Finally got a response from Check Point TAC.   It is below:

 

The T43_962 HF includes two fixes numbers PRHF-31146 and PRHF-29514, to be added to the R81.20 jumbo HF SK. In theory, every fix will sooner or later get integrated into JHF.

Currently, PRHF-31146 is on the list to be added to R81.20 JHF but as of now, a JHF take number has not been assigned yet. PRHF-29514 has been added to the next R81.20 JHF, which has not been released yet.

I think I will hold on JHF 41 and future JHF's on the Gateways until these fixes are incorporated.   My Mgt server has been on JHF 43 and been solid.  

Perry

the_rock
Legend
Legend
‎2024-02-19 12:20 PM
In response to Perry_McGrew

Sounds like a smart decision to me.

Best,

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-03-11 09:04 AM
In response to the_rock

Hello Guys, 
we have seen a similar issue on Maestro with R81.20 HFA 43 and HF45. The updated SGM were stuck in constant boot loops.
In "cphaprob -list"  we a saw a "Configuration" PNOTE, so a config sync issue.

Now TAC is working on custom hotfixes to mitigate this boot loops, but based on HFA 41, since they admitted that HFA 43 and HFA 45 are not the ideal choice for Maestro / VSX.

best regards

0 Kudos
the_rock
Legend
Legend
‎2024-03-11 09:34 AM
In response to Thomas_Eichelbu

Lets hope next one that comes out will include all those fixes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events