This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
‎2020-03-02 02:15 AM

R80.30 VSX 3.10 IPS update failure on secondary member

I've deployed new 26000T appliances running R80.30 3.10 and the latest hotfix in VSX mode (SMS).

Some VS have a variety of security blades enabled but all have at least IPS. I've noticed all secondary members VS are reporting an error on the IPS blade specifically with the following message:

Error: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings.

 

Other security blade like Anti-Virus and Anti-Bot are not complaining and are green in both members with a successful update status and versioning.

If I VSLS some VS to the second member, the issue remains for IPS only but with cluster members inverted.

Of course, this means I have all my VS in red in the Smart Console.

I've followed sk43807 but none of the solutions work. Everything runs on R80.30 with the latest GA Take (140).

As it's only happening with IPS updates, I believe it's linked to some specific configuration bits but for now I've been unable to solve this. Anyone else experienced this or should I go to TAC? 

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion
‎2020-03-02 03:15 AM

The problem you are seeing is caused by the issue that all traffic originating from a cluster member is hidden behind the Cluster IP.
I really still do not understand why this is an option when you set a cluster to VRRP but it needs fwkern options to change this behavior for ClusterXL. See sk34180

Regards, Maarten
Alex-
Leader Leader
Leader
‎2020-03-02 04:34 AM
In response to Maarten_Sjouw

All VS have the "fold" attribute set to True, which I understand this is what you want to do to avoid seeing VSX internal cluster addresses. 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-03-02 04:37 AM
In response to Alex-

Don't forget that a number of things are done from VS0 not from the VS itself. I would expect IPS to be done from the VS0 level and then distributed to all VS's.
So make sure VS0 has internet access and DNS configured.
Regards, Maarten
0 Kudos
Alex-
Leader Leader
Leader
‎2020-03-02 06:51 AM
In response to Maarten_Sjouw

Thanks for your insight, I will continue looking at this. I've seen now that if I switch over a VS to Member B, IPS alarm disappears on both.

LucasCosta
Participant
‎2020-03-02 07:05 AM

Hi,

 

Is it the context  0 able to "telnet" the internet ? (telnet google.com 443) for exemple. I already had this issue and changing the parameter from sk43807 did not work.

 

I always use sk65341 (Regular gateway) to solve this issue. Please use sk111786 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) because you do have VSX. 

 

Remember always to close all the SmartConsole sessions. You can confirm that with "cpstat mg" command in MGMT

 

0 Kudos
_Val_
Admin
Admin
‎2020-03-02 07:17 AM

It is clearly a connectivity issue. Both cluster members should be able to reach out to Internet, no matter active or standby.

Most probably your VS0 on the standby is exiting to Internet with the VIP of the cluster. Look here for resolution: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top