Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stephan_Lache
Participant

Policy installation stucked at 50%

Dear Checkmates,

i have the following environment and issue:

Existing SMS:R81.10 HFA Take 66

New Gateways 6200 Appliances: R81.10 Take 79

I am already managing one Cluster with this SMS and now i need to mange a second Cluster.

I have configured the new cluster object , and created a new policy package.

Then i try to install the policy and the installation stops at 50% without any error message.

Could this be the case because of the different HFA versions ?

 

Silly question:

Is it normal that the newly created  Gateway and Cluster objects are appearing with error state

in Smart Console and should change to OK only after the policy installation?

 

Any help is appreciated.

Thanks

Stephan

 

0 Kudos
13 Replies
the_rock
Legend
Legend

No, its definitely not normal new cluster would have that state. I had done this many times before and never an issue. And no, jumbo take makes no difference. I, at one point, had R81.10 sms on lowest take and cluster on latest available take and it still worked fine. Ok, few things I would confirm before hand, lets begin with basics:

-what is fw stat output when you run it on gateways?

-can you ping mtmt <=> gateways and other way around?

-does SIC work fine?

-what about topology? Can you get interfaces WITH and WITHOUT topology?

Andy

0 Kudos
Stephan_Lache
Participant

Hey Andy,

thanks for your reply.

I will do a " fw stat" first thing in the morning.

The SIC was ok and i was able to get the interfaces with topology.

I did not try it without topology .

So, you mean that the cluster and gateway objects should be in OK status ,even i did not yet install the policy!?

What i have seen is that "cphaprob status" says "HA module not installed"

Then i did a "cphastart" but then each node  thinks it is the active node and as long as the

policy installation ( and with it the cluster configuration) does not work this state is not cleared, i think.

Thanks

Stephan

0 Kudos
the_rock
Legend
Legend

Ok, so, if you had NOT applied policy yet, they will have - sign most likely, I believe thats by default. See, cphaprob status, you can check it once policy works, BUT...before that, make sure clustering is enabled from cpconfig (look for option 6 or 7 I believe and make sure it says "disable cluster membership...")

Anyway, yea, check tomorrow and message me, we can do quick remote and fix it.

Have a good day!

0 Kudos
Stephan_Lache
Participant

Hey Andy,

very kind of you....i appreciate it!

I will go to the office now, and drop you a message how it goes.

 

Cheers

Stephan

0 Kudos
Stephan_Lache
Participant

Hey Andy,

 i am still facing the same issue, after a new creation of the cluster object.

When i try to install the policy i can see that 2 installation tasks are running...see screenshot.

There is no progress with the policy installation.

It stops at 50%

Do you have an ideas?

Thanks

Stephan

0 Kudos
_Val_
Admin
Admin

@Stephan_Lache please look into sk170475 and let me know if it helps. 

0 Kudos
Stephan_Lache
Participant

Hi _Val_,

thanks for your reply.

We have enough free disk space .

 

Thanks

Stephan

0 Kudos
the_rock
Legend
Legend

What time zone are you in? Im in EST (GMT -5), should be free I hope after 10.30 am or so if that works. I can message you directly.

0 Kudos
Stephan_Lache
Participant

Hi,

now we figured out that during the policy installation process the connectivity

from SMS to the gateways is lost.

It seems to be the issue "policy installation task is stuck in the system" from SK170475

 

0 Kudos
_Val_
Admin
Admin

Hey, I suggested SK from the start, did not I? And you said you have enough space 🙂 What is that then?

0 Kudos
Duane_Toler
Advisor

Is your management behind NAT?  You may need to edit $FWDIR/conf/masters on the gateway (or use GUIDBedit to tell the gateway to not overwrite $FWDIR/conf/masters each time, then manually edit the file to instead define the NAT IP of your management).

Check sk10271 and sk146112.

 

the_rock
Legend
Legend

I think you missed a digit in the first article, but yes, I recall those SKs, very valid point actually.

Andy

sk102712

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
_Val_
Admin
Admin

And you checked it on the GW, correct? Also, is policy actually installed on the GW or not? You can see the installation timestamp via fw stat. 

 

In any case, to fix it, please open a TAC call.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events