Solved: Re: Log-server Disconnected

Blason_R · ‎2021-09-02

Hi Team,

I am facing this weird issue; I upgraded my hardware from 4000 series to 6000 series and upgraded versions as well. My management server was already upgarded and recently I upgraded hardware of firewall as well as version from R77.30 to R80.40.

However after upgradation my logs are completely stopped and here is I am getting in fwd.elg

[FWD 17769]@xxx-CPFW_02[3 Sep 10:36:30] 10:36:30: srv_disconnected: change xx.xx.10.2 status to Status ERROR description: Log-Server Disconnected
log_connected: connect to '192.168.10.2' failed
[FWD 17769]@xxx-CPFW_02[3 Sep 10:37:35] 10:37:35: srv_disconnected: change xx.xx.10.2 status to Status ERROR description: Log-Server Disconnected

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Blason_R · ‎2021-09-03

Nah - I resolved on my own. This was an issue with $FWDIR/conf/masters file and I observed that attribute was changed to +i

I changed to -i and rebooted the gws

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

Tal_Paz-Fridman · ‎2021-09-03

Hi

Perhaps this might help (even if the issue seems a bit different):

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Basically, perform Install Database on the Security Management Server (Log Servers)

Otherwise contact TAC

Thanks

Blason_R · ‎2021-09-03

Nah - I resolved on my own. This was an issue with $FWDIR/conf/masters file and I observed that attribute was changed to +i

I changed to -i and rebooted the gws

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-09-04

Would you mind please telling me what exact attribute that is? I have exact same errors in fwd.elg and logging is failing, but cant see any +i option in masters file...thanks in advance.

Best,
Andy

Blason_R · ‎2021-09-05

May be it could be something else for you. But to check attribute

lsattr $FWDIR/conf/masters

Also if you can check what are the contents of masters file?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2021-09-05

I think you are probably right...below is what I get

lsattr $FWDIR/conf/masters
---------------- /opt/CPsuite-R81/fw1/conf/masters

Best,
Andy

the_rock · ‎2021-09-05

Funny thing is, content was default mgmt name and logging was fine for a while, then it stopped with no changes...I ended up changing masters file to mgmt IP address in all fields and then logging started and worked for 2 weeks and then stopped again, so its a bit puzzling as to why this keeps happening.

Best,
Andy

PhoneBoy · ‎2021-09-05

That’s the immutable flag, a file attribute at the OS level.
It prevents the file from being overwritten.
Which that file is on policy install: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

the_rock · ‎2021-09-07

Funny thing is, never had to do that sk before (at least from what I can remember), but followed it and also changed masters file to reflect mgmt IP and not the name and that worked. Whether that solution will last, remains to be seen : )

Best,
Andy

Matlu · ‎2025-05-24

Hello, @Blason_R
One can be able to read binary files oneself?
Or is it necessary to scale these cases to TAC?
I have a “log-server disconnected” problem and I would like to know what is inside the files, without impacting the box services.
Is this possible?

[Expert@FWCP-LV:2]# grep -i "log-server disconnected" $FWDIR/log/fwd.elg*
Binary file /opt/CPsuite-R81.20/fw1/CTX/CTX00002/log/fwd.elg.5 matches
Binary file /opt/CPsuite-R81.20/fw1/CTX/CTX00002/log/fwd.elg.6 matches
Binary file /opt/CPsuite-R81.20/fw1/CTX/CTX00002/log/fwd.elg.7 matches
Binary file /opt/CPsuite-R81.20/fw1/CTX/CTX00002/log/fwd.elg.8 matches
[Expert@FWCP-LV:2]#

Thanks!

PhoneBoy · ‎2025-05-27

These files can be reviewed without impacting services.
.elg files are not supposed to be "binary" files, though...

Are you a member of CheckMates?

Log-server Disconnected