This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olusegun_Adekun
Contributor
‎2024-01-19 07:45 AM

Unable to log back into a Firewall after Upgrade to R81.20

Hi All,

Has anyone seen this issue before?

Upgraded Firewall from R81.10 to R81.20. After rebooy and push policy to the upgraded Firewall, am not able to login into the Firewall. It looks healthy and good on the Smart Console. 

When I checked the the Active member, it shows me this below that the secondary is LOST. TO WHERE, I ASKED.

1 (local) 10.64.0.252 100% ACTIVE(!)
2 none                         0%     LOST

Active PNOTEs: LPRB, IAC

Last member state change event:
Event Code: CLUS-110305
State change: ACTIVE -> ACTIVE(!)
Reason for state change: Interface eth2.203 is down (Cluster Control Protocol packets are not received)

Attached is the error.

 

Regards

Olu

 
 
 

 

0 Kudos
11 Replies
Machine_Head
Advisor
Advisor
‎2024-01-19 08:14 AM

you say "it looks healthy on smart console"

are you saying both cluster members have SIC established and are reachable from the management?

does it respond to ssh on any of the interfaces?
What about via the sync from the active firewall?

Have you LOM access or physical access to check console?

 

0 Kudos
Olusegun_Adekun
Contributor
‎2024-01-19 09:00 AM
In response to Machine_Head

Hi Gojira,

you say "it looks healthy on smart console" - Yes on Smart Console is Green 

are you saying both cluster members have SIC established and are reachable from the management? Both have SIC Established

does it respond to ssh on any of the interfaces? It does not respond to https from all the interfaces, so I presume ssh will not work as well.
What about via the sync from the active firewall? Tried (ssh myusername@ipaddress) from the active Firewall.

It is a very strange one to be honesst and MVC is ON as well.

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2024-01-19 09:02 AM

Had the same issue today. Have you tried to login via sync interface from the active one. That worked for me.

After that I did a "cphaconf mvc on" and everything was fine.

0 Kudos
Olusegun_Adekun
Contributor
‎2024-01-19 09:13 AM
In response to Oliver_Fink

Hi Oliver,

I tried it already, it says "connection time out."

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-01-19 09:28 AM
In response to Olusegun_Adekun

If SIC from management is working fine, you can use cprid_util from management to execute any command(s).

Kind regards,
Jozko Mrkvicka
0 Kudos
Olusegun_Adekun
Contributor
‎2024-01-19 10:11 AM
In response to JozkoMrkvicka

Ok will try it.

Thanks

Olu

0 Kudos
Olusegun_Adekun
Contributor
‎2024-01-22 08:46 AM
In response to Oliver_Fink

Hi Oliver, a quick question please. Which command did you use to login from Active to the Standby.

ssh username@ip address - Is this correct

Thanks

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-22 04:56 PM
In response to Olusegun_Adekun

Thats it...example:

ssh admin@10.10.10.11

Best,

Andy

Best,
Andy
0 Kudos
Olusegun_Adekun
Contributor
‎2024-01-23 03:45 AM
In response to the_rock

Thanks Legend. Much Appreciated.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-23 04:38 AM
In response to Olusegun_Adekun

For you, no charge ; - )

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-23 05:21 AM
In response to Olusegun_Adekun

By the way, forgot to mention, to me, appears that based on the output in your original post, clearly if the other member shows as lost, then clustering is broken. Can you check below commands:

cphaprob -a if

cphaprob -i list

cphaprob -l list

cphaprob syncstat

Best,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events