Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dear Everyone,
I have two CP15600 GWs (made high availability) and one VM (SMS).
Last month I upgraded R77.30 SMS to R80.10 (I upgraded using "Upgrade")
However, the status of the HA often changes. (active and standby)
In the Standby Status,"Standby"GW cannot ping 8.8.8.8 and cws.checkpoint.tw and other websites but can ping sync ip and VIP(HA)
In the Active Status, "active" of GW can ping 8.8.8.8 and cws.checkpoint.tw and sync ip and other websites, but you cannot ping VIP (HA).
The same is true when the status of GW changes.
As the status changes, Error will change, Standby's Error is as follows
In addition, I found that IPsec cannot be used and cannot establish a connection with the peer.
I tried some troubleshooting methods as follows.
1.sk83520 how to check connectivity to CP Confirm that the problem is not a cloud connection.
2. sk97587 https://www.51sec.org/2015/07/checkpoint-standby-cluster-member-interface-not-reachable/ "invalid"
3. sk19423 Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureK... Select the 'Enable back connections' options. "invalid"
about offer_nat_t_initator (False-->True) "invalid"
5.SK40187 "Packet is dropped because there is no valid SA" log when Cluster drops packets "invalid"
6.Vpn tu (7)Delete all IPsec+IKE SAs for a given peer "invalid"
Yesterday, I changed phase2 AES256 to AES128.Error disappeared(Only "active"GW disappear),
but I still can't connect to the peer.
Currently, SA (only one data) can be seen in all IKE SAs listed in GW1&GW2 VPN tu(1), but sometimes it exists and sometimes does not exist.
I do not know what to do. Rebuild IPsec or Client Tunnel? (PS: peer device is CISCO)
Thank you all !
