This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gabriel_Briones
Participant
‎2018-11-18 08:18 PM

R80.10 Management Synchronization is not working

===========================================

Check Point Management Version (R80.10 with HFA 70)

===========================================

1. Primary/Active management's lv_current partition utilization becomes 100%

2. Secondary/Standby management was promoted to Secondary/Active and we've been using the secondary management to create firewall rules since.

3. Clear up files on Primary/Active (now Primary/Standby).

4. Tried synchronizing the Secondary/Active with Primary/Standby but fails with error "Synchronization error: NGM failed to retrieve last publish time"

5. Situation has been like this for a couple of months now and we can't synchronize the management.

6. A couple of steps has been carried out as advised by Check Point support including the following but none of them works
clear Smart Console Cache
clear $FWDIR/conf/mgha/*
reset SIC
install policy/database
cpstop and cpstart

7. Check Point support advised us to rebuild the primary which we did, we install a fresh R80.10, apply the relevant HFA and restore the database. Unfortunately migrate export on Secondary Management is not supported so we need to use what ever is the last backup on the primary. Tried synchronizing again but we still face the same issue.

8. Currently, we can still use the now Secondary/Active management but we can't create a backup of the database and it just a matter of time before this active management encounters issue.
9. From Gaia, i've created a snapshot of the secondary/active management and restore it in my lab setup, install another R80.10 management which acts as a primary and I've managed to replicate the issue.

10. On the lab, I've tried doing a "promote_util" on the Secondary/Active management but it keeps on generating a core dump. Tried resetting the SIC, clear cache, revoke certificate but none of them works. I even install the latest HFA (Take 154) and repeat all the steps I could think of to restore the synchronization but it doesn't work as well

11. The case is now with the R&D and we're still waiting for a possible solution to our issue. An OVF template of both the primary and secondary management has also been provided.

12. I seems to be running out of options and would like to seek some help from this forum

6 Replies
PhoneBoy
Admin
Admin
‎2018-11-18 09:26 PM

You're definitely in the territory where R&D needs to be involved.

What SR is this in relation to?

Feel free to send it to me in a private message.

Did you submit the core dump from promote_util via your TAC case?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-11-18 11:55 PM

Out of my experience, this is the big drawback of Management HA - if the primary is distroyed, the secondary may be unable to take the role of the primary. Only a snapshot / backup of the primary management will help. In R7x.xx you also did loose all database revisions that were stored on primary only. I assume that you have also tried the promote_util alternative from sk114933 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gabriel_Briones
Participant
‎2018-11-19 01:49 PM

Hi Dameon / Gunther,

 Thank you for your response. I really appreciate it.

I did tried the "promote_util" only on the lab but it keeps on giving me a core dump. And i'm not too confident to try it on my production box.

I noticed though that when I do the command 'cpprod_util FwSetPrimary 1' on the Secondary/Active management, I am able to perform a 'migrate export' and able to restore the exported backup successfully to the Primary/Standby. But I notice though after the restoration that port 18190 is not running on the Primary/Standby and I can't connect using SmartConsole.

Dameon,  case number has been sent via private message. I haven't given the core dump to the support as it's from my lab.

0 Kudos
Gabriel_Briones
Participant
‎2018-11-19 03:30 PM

It turns out, the trick of running 'cpprod_util FwSetPrimary 1' on the Secondary is being suggested by Check Point as per the sk65360.

But i'm still stuck at not being able to connect via SmartConsole when I restore the database from Seondary to my primary

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-19 08:42 PM
In response to Gabriel_Briones

I didn't see that particular suggestion in the TAC case you sent me.

But what that trick does is allows a migrate export to complete from the secondary (which is normally not supported).

It could be useful in rebuilding or troubleshooting.

0 Kudos
Kian_Ong_Tan
Explorer
‎2019-04-05 06:43 AM
In response to PhoneBoy

May I know where this leads to in the end? I am facing the exactly same scenario here

 

Thanks. 

Regards. 

KianOng

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events