Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority

enable ipv6 on Maestro

How to enable ipv6 on Maestro ?

In gclish "set ipv6-state on" save and reboot. Is it possible todo the reboot one by one appliance in the security group or must be done a reboot on the whole security group ?

Doing it with only one appliance at the time cause no traffic disruption.

0 Kudos
8 Replies
_Val_
Admin
Admin

Not sure it was tested, but you can reboot one-by-one by reboot -b command. Please note, you have to start your reboots from SMO. So, SMO should be first.

I suggest to test it before going live. Enabling IPv6 will change CoreXL instances on the appliance

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

I agree with Val. I think you can enable it one by one, but better to verify first that everything works as planned.

0 Kudos
Wolfgang
Authority
Authority

Yesterday we tried to enable IPv6 with no success. After enabling IPv6 via gclish => "set ipv6-state on" we did a restart with one of the appliances but these ends up in boot loop:

Oct 12 16:24:26 2022 Firewall-XXX-ch01-02 kernel: [fw4_0];Global param: operation failed: Unknown parameter (param name fwha_mbs_reboot_notify),

Oct 12 16:24:28 2022 Firewall-XXX-ch01-02 shutdown[77256]: shutting down for system reboot

 

We did not had any time for troubleshooting, switch to IPv6 off and everything was fine. At the moment we are investigating the logs. Has anyone enabled IPv6 in a Maestro environment ?

0 Kudos
Wolfgang
Authority
Authority

@Lari_Luoma and @_Val_ and the community,

After enabling IPv6, reboot one security group member followed by a  crash of the whole Maestro environment and a following discussion with TAC...

Following Gaia R81.10 Administration Guide (System Configuration)  (After you enable or disable IPv6 on a Security Group in a Scalable Platform, you must reboot all the Security Group Members at the same time) we had to reboot the whole SecurityGroup to enable IPv6.

This indicates a complete downtime for the Maestro environment, meaning approximately 30min with no traffic flow. Very bad behaviour for a highly available scalable environment. We and our customer are not happy with that solution.

Yes, we could enable IPv6 before deployment, but we don't want to enable features from the beginning we don't need.

_Val_
Admin
Admin

I am sorry to hear that. Could you please provide me your TAC case via PM?

0 Kudos
Gojira
Collaborator
Collaborator

Hey, any idea if this is fixed or still the case?


Thanks
Juan

0 Kudos
Wolfgang
Authority
Authority

@Gojira ther's still a need for a reboot of all appliances of the complete Maestro solution. And additional there are still limitations if you want to change something regarding the IPv6 configuration. See my post https://community.checkpoint.com/t5/Maestro/IPv6-on-Maestro-a-nightmare/m-p/169862#M1414 

Gojira
Collaborator
Collaborator

Sounds like a non-goer for me

Thanks for the info

0 Kudos