- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Dear Everyone,
I have two CP15600 GWs (made high availability) and one VM (SMS).
Last month I upgraded R77.30 SMS to R80.10 (I upgraded using "Upgrade")
However, the status of the HA often changes. (active and standby)
In the Standby Status,"Standby"GW cannot ping 8.8.8.8 and cws.checkpoint.tw and other websites but can ping sync ip and VIP(HA)
In the Active Status, "active" of GW can ping 8.8.8.8 and cws.checkpoint.tw and sync ip and other websites, but you cannot ping VIP (HA).
The same is true when the status of GW changes.
As the status changes, Error will change, Standby's Error is as follows
In addition, I found that IPsec cannot be used and cannot establish a connection with the peer.
I tried some troubleshooting methods as follows.
1.sk83520 how to check connectivity to CP Confirm that the problem is not a cloud connection.
2. sk97587 https://www.51sec.org/2015/07/checkpoint-standby-cluster-member-interface-not-reachable/ "invalid"
3. sk19423 Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureK... Select the 'Enable back connections' options. "invalid"
about offer_nat_t_initator (False-->True) "invalid"
5.SK40187 "Packet is dropped because there is no valid SA" log when Cluster drops packets "invalid"
6.Vpn tu (7)Delete all IPsec+IKE SAs for a given peer "invalid"
Yesterday, I changed phase2 AES256 to AES128.Error disappeared(Only "active"GW disappear),
but I still can't connect to the peer.
Currently, SA (only one data) can be seen in all IKE SAs listed in GW1&GW2 VPN tu(1), but sometimes it exists and sometimes does not exist.
I do not know what to do. Rebuild IPsec or Client Tunnel? (PS: peer device is CISCO)
Thank you all !
Well, first of all, I would open a SR with the Support with cpinfo files from each Security Gateways and the SMS.
Waiting their answer, I would look at some evidence onto debug files. Did you looked at VPN debug files ?
VPN debug? is vpn tu?
Thank you.
No : I mean using sk33327 How to generate a valid VPN debug, IKE debug and FW Monitor, skI4326 Enabling IKE and VPN debugging and sk30994 What is the IKEView utility?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY