This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tavi0906
Contributor
‎2023-02-19 05:56 PM

Cluster disconnect from the New Management after 5-10min

weekend we migrated the HA gateway from a old management server to a new management (locate at different location)

 

Old management = OLD IP address

New Management = NEW IP address (At different location)

 

We have re-established SIC (OK)

We have installed policy from the New Management to the HA Cluster (OK)

The Cluster disconnect from the New Management after 5-10min, logs still incoming from the Cluster.

Test SIC failed, unbale to push policy to the Cluster.

 

This are the error shown:

ckpSSL_fwasync_connected: no connection err -1

ckpSSL GetErrorString: err_code is (-1)

ckpSSL_fwasync_connected: err_msg: (ckpssl timeout)

 

We unload the policy from the Cluster and push policy, it back to normal again, but after 5-10, the connections break again.

 

We couldn't see any deny logs from the SmartConsole.

We change the anti-spoofing from blocking mode to detect mode then the connections between Management and Cluster are stable, but we couldn't see any log drop by anti-spoofing.

4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-02-19 07:24 PM

Please confirm the versions & JHF used for both new and old components and is each happily sync'd with NTP for their time?

CCSM R77/R80/ELITE
tavi0906
Contributor
‎2023-02-19 09:05 PM
In response to Chris_Atkinson

version R80.40 take 180

 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-19 10:26 PM
In response to tavi0906

You write:
cut>>>
weekend we migrated the HA gateway from a old management server to a new management (locate at different location)
<<<cut

Do you have completely implemented the following SK's?

How to change the IP Address of a Security Management Server? 
How to renew SIC after changing IP Address of Security Management Server  

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
tavi0906
Contributor
‎2023-02-20 05:59 PM
In response to HeikoAnkenbrand

We change the anti-spoofing from blocking mode to detect mode then the connections between Management and Cluster are stable, but we couldn't see any log drop by anti-spoofing

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events