This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ramon_JIMENEZ1
Explorer
‎2017-11-03 02:27 AM

Failed to connect to the peer

Hi guys, I'm asking here because it was suggested in the forums.

We recently inherited a Checkpoint infra and we just realized that,  in the Management High Availability, the Secondary server is not reachable.

I've tried some workarounds found in the forums to no avail so far:

-cpstop in primary and secondary, delete contents of %fwdir%\conf\mgha, cpstart

-copy (possibly corrupted) $FWDIR/conf/refs.c file from primary

-Install Database on Secondary

There is no NAT as suggested in some SK articles (both servers are in the same vlan)

Platform is Windows, R77.20

Any help is welcome.

Kind regards,

Alberto

0 Kudos
9 Replies
Paul_Warnagiris
Advisor
‎2017-11-03 05:07 AM

What do you mean by "its not reachable?"  By the management client?  If so and you can ssh to it perform a cpwd_admin list and see if the processes are terminated.  It may be easiest and quickest to just re-image the box and re-sync.

0 Kudos
Ramon_JIMENEZ1
Explorer
‎2017-11-06 01:15 AM
In response to Paul_Warnagiris

HA-Screenshot

Hi Paul,

here is the output of cpwd_admin list:

APP        PID    STAT  #START  START_TIME             MON  COMMAND

CPD        3176   E     1       [19:35:48] 2/11/2017   Y    cpd

FWD        3736   E     1       [19:35:55] 2/11/2017   N    fwd -n

FWM        0      T     0       [08:44:43] 6/11/2017   N    fwm

STPR       3824   E     1       [19:35:55] 2/11/2017   N    status_proxy

DBSYNC     4084   E     1       [19:35:58] 2/11/2017   N    dbsync

SVR        3888   E     1       [19:36:00] 2/11/2017   N    SVRServer.exe

LC_10.94.59.227 3044   E     1       [19:36:03] 2/11/2017   N    log_consolidator.exe -R -s 10.94.59.227
CPSEMD     0      T     0       [09:44:55] 6/11/2017   N    cpsemd

CPSEAD     3228   E     1       [19:36:03] 2/11/2017   N    cpsead

CPWMD      4288   E     1       [19:36:05] 2/11/2017   N    cpwmd -D -app SmartPortal
CPHTTPD    4336   E     1       [19:36:05] 2/11/2017   N    cp_http_server -f 'C:\Program Files\CheckPoint\R77\SmartPortal\R77\SmartPortal\conf\cp_httpd_admin.conf'
CP3DLOGD   4432   E     1       [19:36:06] 2/11/2017   N    cp3dlogd

Answering your question, the Secondary management server and the Primary are having issues to see each other (please take a look at the screenshot)

Regarding the strategy to rebuild the box;  if it comes to that, I guess we'll have to do it. I just want to try to fix this, if possible, in a less agressive way.

Thank you,

Alberto

0 Kudos
Paul_Warnagiris
Advisor
‎2017-11-06 06:33 AM
In response to Ramon_JIMENEZ1

The upgrade is non-aggressive and definitely the best path forward.  IMHO.  GaIA is definitely worth looking into as well.  It eliminates all of the Windows problems...

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2017-11-03 05:23 AM

I recommend upgrading to R77.30 (or R80.10) with the latest Jumbo Hotfix first, because R77.20 is not supported anymore.

0 Kudos
Ramon_JIMENEZ1
Explorer
‎2017-11-06 01:17 AM
In response to Danny

Hi Danny, thank you for your answer.

Does the upgrade to R77.30 involve any change in the agents at all? We cannot affor that just now.

Kind regards,

Alberto

0 Kudos
Paul_Warnagiris
Advisor
‎2017-11-06 06:32 AM
In response to Ramon_JIMENEZ1

In your output to me your FWM process is terminating.  The best bet is really to upgrade to 77.30 because if you had to call support for your problem right now its not supported.  Why its terminating though IMHO is not worth worrying about because likely a fresh install of 77.30 will fix your problem.  77.20>>>77.30 is an easy upgrade.  77.30 should work with all of your earlier FW releases unless your firewalls are super old.  

FWM        0          0       [08:44:43] 6/11/2017   N    fwm <--- shows FWM terminated

Looking at the 77.30 release notes these GWs are still able to be managed from 77.30

NGX R65 R70, R70.1, R70.20, R70.30, R70.40, R70.50 R71, R71.10, R71.20, R71.30, R71.40, R71.50 R75, R75.10, R75.20, R75.30, R75.40, R75.45, R75.40VS, R75.46, R75.47, R76, R77, R77.10, R77.20, R77.30.

However, I would recommend you consult 77.30 release notes and validate for yourself.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-06 06:49 AM
In response to Ramon_JIMENEZ1

I'm not sure what you mean by agent, but we're not talking about upgrade the gateways here, which might involve upgrading more components.

As others have mentioned, R77.20 is End of Life and no longer supported.

It's strongly encouraged that you upgrade your gateways and management to supported versions.

R77.30 is the last release where it is supported to run Security Management on Windows.

From R80 onward, Windows is no longer a supported OS for Security Management.

0 Kudos
Vladimir
Champion
Champion
‎2017-11-03 06:21 AM

Since it is a secondary management server that is already not working, you can simply rebuild the Windows server. Reinstall the R77.20 as a secondary management server specifying new SIC activation key in the process.

Bring the HFAs to the same exact level as primary.

Reinitialize SIC on the secondary management object in the SmartDashboard.

Perform manual synchronization from "Policy/Management High Availability".

If successful, test the fail-over process.

This being said, I agree with Danny Jung: you are probably better off taking this opportunity to migrate to R77.30, preferably running on Gaia.

More headache in the short run, but definitely a better strategy. 

0 Kudos
Ramon_JIMENEZ1
Explorer
‎2017-11-06 01:19 AM
In response to Vladimir

Thank you for your Answer Vladimir.

Looks like a good idea to start with. However, for the second part, we'd rather not touch this infra if possible. And Gaia is definetively not in the map 🙂

Kind regards,

Alberto

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events